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Plaintiff and Counter-Defendant Intertrust Technologies Corporation ("Intertrust") and 
Defendant and Counter-Claimant Microsoft Corporation ("Microsoft") submit the following 
Joint Claim Construction and Prehearing Statement in accordance with Patent Local Rule 4-3. 

RULE 4-3(a) and (b) 

Claim terms and phrases on which the parties agree are listed at the beginning of Exhibit 
B, attached. 

RULE 4-3(b) 

Attached hereto as Exhibit A is Microsoft's presentation of disputed claim terms 
and Microsoft's proposed constructions. Attached hereto as Exhibit B is InterTrust's 
presentation of disputed claim terms and InterTrust's proposed constructions. The parties are 
discussing a joint presentation that would present each party's position on all disputed terms in a 
side-by-side format. If the parties reach agreement on such a submission, the parties will provide 
that submission to the Court as a substitute for the attached Exhibits A and B. 

Attached hereto as Exhibit C is InterTrust's identification of intrinsic and 
extrinsic evidence supporting InterTrust's proposed construction for each disputed term and 
phrase. 

Attached hereto as Exhibit D is Microsoft's identification of intrinsic and 
extrinsic evidence supporting Microsoft's proposed construction for each disputed term and 
jhrase. 

Attached hereto as Exhibit E is a Microsoft statement of reservations. 

RULE 4-3(c) 

The Court has set aside three days for the Claim Construction Hearing. 

RULE 4-3(d) 

Attached hereto as Exhibit F is a summary of expert testimony to be presented by 
nterTrust. Attached hereto as Exhibit G is a summary of expert testimony to be presented by 
Microsoft. 

RULE 4-3(e) 

Following is a list of other issues the parties believe might appropriately be tajcen 
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up at the Case Management Conference hearing set for February 13, or such other prehearing 
conference as the Court may wish to schedule. Substantive argument on these issues is set forth 
in the Joint Case Management Conference Statement filed concurrently herewith. 

| A. Issues upon which the parties agree: 

1 . Live expert testimony should not be presented. Each party will undertake its best 
efforts to have its above-designated expert(s) present at the hearing to respond to 
questions from the Court. 

2. Each party will undertake its best efforts to have its declarants available for deposition 
within one week of submitting Claim Construction or indefiniteness summary judgment 
declarations. 

3. Normal briefing page limits should be doubled for the Claim Construction briefs. 

4. There will be no post-hearing briefing, except at the request of the Court. 

B. Issues which the parties agree should be taken up at the Case Management Conference, but as 
to which the parties do not agree on substance: 

1 . The number of claim construction briefs to be filed by the parties. 

2. Format of the Claim Construction Hearing. 

a. Whether the parties should present tutorials, and, if so, the length and format of 
such a tutorial. 

b. Whether the parties should present a non-tutorial opening statement. 

c. The format and ordering of substantive argument on disputed claim language. 

d. Whether the currently scheduled Mini-Markman proceeding should be devoted 
to all of the disputed terms and phrases from the 12 selected patent claims, or a 
subset. 



PATENT LOCAL RULE 4-3 JOINT CLAIM CONSTRUCTION AND PREHEARING STATEMENT 
CASE NO. C 01-1640 SBA (MEJ), CONSOLIDATED WITH C 02-0647 SBA 



3. Whether other issues should be addressed during the Claim Construction Hearing. 

a The anticipated Microsoft motion for summary judgment of indefmiteness, 
referenced in the Court's Further Case Management Order of November 6, 2002. 

b. Whether certain material said to be "incorporated by reference" into several of 
the asserted patents, does or does not constitute part of the "specification" of those 
patents for claim construction purposes. 

c. Other evidentiary disputes related to the Claim Construction Hearing. 

C. Issues Microsoft intends to raise at the Case Management Conference, but which InterTnist 
I believes are not appropriate for that conference: 

1 . Claim construction and claim indefmiteness discovery disputes. 

2. The scope of the stay entered by the court. 

Respectfully submitted, 
I Dated: February 3, 2003 KEKER & VAN NEST, LLP/ 




Dated: February 3, 2003 



MICHAEL H. PAGE 
Attorneys for Interim^ 
Corporation 



ORRJCK HERRIN 




hnologies 



SUTCLEFFE 



By: W /to** AMktoTf 

CklCfL. WESEhfeERG 
Attorneys for Microsoft Corporation 
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Exhibit A: Claim Chart 

Exhibit A contains Microsoft's Preliminary Claim Construction. The chart presents the construction in the order of 
the asserted "Mini- Markman " claims. Terms set forth in the claims (column 2) in bold are claim terms that the parties 
dispute. Phrases set forth in the claims in italics are claim phrases that the parties dispute. Terms set forth in Microsoft's 
construction (column 3) in bold, with initial capitalizaiton are terms Microsoft has construed. 
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4 1 93 Claim 1 


MS Construction 


1. 


1. A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


2. 


receiving a digital file 
including music, 


receiving a digital file including music: 

This claim language falls within 35 U.S.C. § 1 12, % 6. It recites a step or result 
("receiving") without reciting an action that achieves that result The specification 
does not clearly link any particular action to this recited step. Pan of the recited 
function is performed when the Digital File is received by Communications Controller 
666 and passed through I/O Controller 600 to SPE 503/SPU 500 (specifically 
incorporates the SPU Encryption/Decryption Engine 522 that is used principally as an 
aspect of secure communications between VDE secure subsystems) and NVRAM 
534b (which stores sensitive information such as cryptographic Key(s) used for 
Authentication.) Rights Operating System 602 manages the hardware within SPU 
500 that performs Authentication of the secure container as part of the receiving step. 

The recited function requires: obtaining a VDE Secure Container encapsulating a 
Digital File, Authenticating the intended recipient in accordance with VDE Controls 
Associated With the Secure Container, and accepting the Secure Container. 

The qualifier "including music" recites non-functional descriptive material and is not a 
patentable limitation. 

digital file: A named, static unit of storage allocated by a "file system" and 
Containing digital information. A Digital File enables any application using the "file 
system" to randomly access its contents and to distinguish it by name from every other 
such unit A copy of a Digital File is a separate Digital File. (A "file system" is the 
portion of the operating system that translates requests made by application programs 
for operations on "files" into low-level tasks that can control storage devices such as 
disk drives.) 

including: As to data, storing within, as opposed to Addressing. As to hardware, 
physically present within. 


3. 


storing said digital file in a 
first secure memory of a 
first device; 


digital file: see item #2 above 

secure memory: A processor-addressable Memory within a special-purpose Secure 
Processing Unit which is isolated from the rest of the world by (and encapsulated j 
within) a Tamper Resistant Barrier. "Processor-addressable" means that a 
connected processor can use the Secure Memory's physical addresses as the operand 
in a processor instruction such as LOAD or STORE or equivalent instruction. A 
"Memory" is not a "Secure Memory" merely because it stores encrypted, signed, 
and/or sealed data; is accessible from a Protected Processing Environment; or is 
within an appliance that is located at a trusted facility with non-VDE physical 
Security and user-identity Authentication procedures. 
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secure: A state in which all users of a system are guaranteed that ail information, 
processes, and devices within the system, shall have their availability, secrecy, 
integrity, authenticity and nonrepudiation maintained against all of the identified 
threats thereto. "Availability" means the property that information is accessible and 
usable upon demand by authorized persons, at least to the extent that no user may 
delete the information without Authorization. "Secrecy also referred to as 
confidentiality, means the property that information (including computer processes) is 
not made available or disclosed to unauthorized persons or processes. "Integrity" 
means the property that information has not been altered either intentionally or 
accidentally. "Authenticity" means the property that the characteristics asserted about 
a person, device, program, information, or process are genuine and timely, particularly 
as to identity, data integrity, and origin integrity. "Nonrepudiation" means the 
property that a sender of information cannot deny its origination and that a recipient of 
information cannot deny its receipt 

memory: A medium in which data (including executable instructions} mav be stored 
and from which it may be retrieved. 




storing information 
associated with said 
digital file in a secure 
database stored on said 
first device, 


associated with: A specific, direct, persistent, and binding relationship with one or 
more discrete items. Code that processes information but is merely a general-purpose 
component of an installation is not "Associated With" that information. In VDE, an 
association between a unit of Executable code and particular information, or between 
particular control information and a Secure Container, cannot be broken except as 
Allowed by execution (within a Secure Processing Environment) of assigned VDE 
Control(s) and satisfaction of all requirements imposed by such execution. 

digital file: see hem #2 above 

secure database: A Secure Database is a database isolated from all users such that it is 
Protected from external observation; and accidental or intentional alteration or 
destruction. In VDE, a Secure Database stores tracking, billing, payment, and 
auditing data until the data is delivered Securely to an authorized Clearinghouse. 

secure: see item #3 above 

database: a data file that is defined and accessed using the facilities of a database 
management system (DBMS); this implies in particular (a) that it is defined by means 
of a schema that is independent of any programs that access the database, and (b) that 
it uses direct access storage. 


5. 


said information including 
at least one budget control 
and at least one copy 
control, 


including: see hem #2 above 

budget A unique type of "method" that specifies a decrementable numerical 
limitation on future Use (e.g^ copying) of digital information and how such Use will 
be paid for, if at all. (A "method" is a collection of basic instructions, and information 
related to basic instructions, that provides context, data, requirements, and/or 
retauonsnips ior use in penormmg, ana/or preparing 10 penorm, oasic instructions in 
relation to the operation of one or more electronic appliances.) 

budget control: A VDE Control assembled to apply to a Budget and enforcing that 
Budget. No process, user, or device is able to make the use identified by the Budget 
once the Budget's specified limitation on that Use has been reached. 

copy control: A VDE Control which Controls Access to or some Use of a copy. 


6. 


said at least one budget 
control including a budget 

specifying the number of 


a budget specifying the number of copies which can be made of said digital file: A 


Budget explicitly stating the total number of copies (whether or not decrypted, long- 
lived, or accessible) that (since creation of the Budget) Can Be made of the Digital 
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copies which can be made 
of said digital filer, 


File by any and all users, devices, and processes. No process, user, or device is able to 
make another copy of the Digital File once this number of copies has been made. 

budget, budget control: see hem #5 above 

including: see item #2 above 

can be: A specified act is able or authorized to be carried out, which otherwise cannot 
be carried out, 

digital file: see item #2 above 


7. 


and said at least one copy 
control controUing the 
copies made of said digital 


controlling the copies made of said digital file: Controlling Uses of and Accesses to 


all copies of the Digital File, by all users, processes, and devices, by executing each of 
the recited "at least one" Copy Controls) within VDE Secure Processing 
Environment(s). Each Control Governs (Controls) only one action, which action 
may or may not differ among the different "at least one" Controls. All Uses and 
Accesses are prohibited and incapable of occurring except to the extent Allowed by 
the "at least one" Copy Control(s). 

copy control: see item #5 above 

controlling: Reliably defining and enforcing the conditions and requirements under 
which an action that otherwise cannot be taken, will be Allowed, and the manner in 
which it may occur. Absent verified satisfaction of those conditions and requirements, 
the action cannot be taken by any user, process or device. In VDE, an action is 
Controlled through execution of the applicable VDE Control(s) within a VDE 
Secure Processing Environment More specifically, in VDE, Controlling is 
effected by use of VDE Controls, VDE Secure Containers, and VDE foundation 
(including VDE Secure Processing Environment, "object registration," and other 
mechanisms for allegedly individually ensuring that specific Controls are enforced 
vis-a-vis specific objects (and their content at an arbitrary granular level) and specific 
"users.") 

digital file: see item #2 above 


8. 


determining whether said 
digital file may be copied 
and stored on a second 
device based on at least 
said copy control; 


determining whether said digital file may be copied and stored on a second device 


based on at least said copy control: Determining whether this particular first device is 
Allowed to perform both of the following actions on this particular Digital File: (1) 
Copy it and (2) store it (as opposed to a copy of it) on a second device, by executing 
one or more VDE Control(s) (including "said" Copy Control Associated With this 
Digital File) within VDE Secure Processing Environment(s). To the extent that 
either of these two actions is not determined by this step to be permissible, that action 
is prohibited arid incapable of occurring, and no user, process or device can perform it 
on this Digital File. 

This claim limitation's recitation of "said copy control" is inconsistent with the claim 
limitation "at least one copy control." 

digital file: see item #2 above 

copy, copied, copying: To reproduce all of a Digital File or other complete physical 
block of data from one location on a storage medium to another location on the same 
or different storage medium, leaving the original block of data unchanged, such that 
two distinct and independent objects exist. Although the layout of the data values in 
physical storage may differ from the original, the resulting "copy" is logically 
indistinguishable from the original. The resulting "copy" may or may not be 
encrypted, ephemeral, usable, or accessible. 
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copy control: see item #5 above 


9. 


if said copy control allows 
at least a portion of said 
digital file to be copied and 
stored on a second device, 


if said copy control allows at least a portion of said digital file to be copied and stored 


on a second device: 

This "if" condition creates two branches for me reched process, each of which must be 
performed Each time the "if condition is met, all four of the later-recited actions 
(Copying, transf erring, storing, playing) must occur. Each time it is not met, each of 
these four actions must be prohibited and incapable of occurring. 

This "if condition is met if and only if "said" Copy Control Allows any Portion (i.e., 
a part less than the whole) of the Digital File to be Copied and also Allows that same 
Portion of the Digital File (as opposed to the copy) to be stored on any second device. 
This "if" condition is based entirely on "said copy control" and thus is met, as above, 
even if other VDE Control(s) prohibit those actions. 

This claim limitation's recitation of "copy control allows at least a portion" is 
inconsistent with the claim limitation "whether said digital file may be copied ... based 
on at least said copy control." 

This claim limitation's recitarion of "if said copy control allows at least a portion ... 
copying" is inconsistent with "said at least one budget control including a budget 
specifying the number of copies which can be made of said digital file" on whether 
said "copy control" or said "budget control" determines whether Copying is Allowed. 

copy control: see item #5 above 

allow (allows): Actively permitting an action that otherwise cannot be taken (i.e., is 
prohibited) by any user, process, or device. In VDE, an action is Allowed only 
through execution (within a Secure Processing Environment) of the VDE CoDtrol(s) 
assigned to the particular action request, and satisfaction of all requirements imposed 
by such execution. 

portion: A part of a whole, which is less than the whole 
digital file: see item #2 above 


10. 


copying at least a portion 
of said digital file; 


copying at least a portion of said digital file: CopyinE at least some Portion of the 


Digital File (as opposed to a copy thereof), by executing VDE Control(s) within VDE 
Secure Processing Environments). This Copied "Portion" may or may not be (or 
even include) the Portion referred to in the claim limitation "if said copy control 
allows at least a portion." 

copyine: see item #8 above 

portion: see item #9 above 

digital file: see item #2 above 




if itrkijtzrring u* inuot u 

portion of said digital file 
to a second device 
including a memory and 
an audio and/or video 
output; 


transferrin p at least a nortinn r»f said digital file to a second device* Transferrinp to 


some second device (which may or may not be the "second device" referred to in the 
claim limitation "if said copy control allows at least a portion of said digital file to be 
copied and stored on a second device") at least some Portion of the Digital File (as 
opposed to a copy thereof), by executing VDE Control(s) within VDE Secure 
Processing Environments). This transf erred Portion may or may not be (or even 
include) the Portion referred to in the claim limitation "if said copy control allows at 
least a portion," or the Portion referred to in the claim limitation "copying at least a 
portion." 
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portion: see item #9 above 
digital file: see item #2 above 
memory: see item #3 above 


12. 


storing said digital file in 
said memory of said 
second device; and 


storing said digital file: Storing the entire Digital File received in the "receiving" step 
(as opposed to a copy of the Digital File or a Portion of the Digital File). 
This claim limitation's recitation of "storing said digital file" is inconsistent with the 
claim limitation "transferring at least a portion of said digital file." 

digital file: see hem #2 above 

memory: see item #3 above 


13. 


including playing said 
music through said audio 
output 


This claim limitation's recitation of "playing ... through said audio output** is 
inconsistent with the claim limitation "an audio and/or video output" 
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14. 


1 1. A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


15. 


receiving a digital file 


receiving a digital file: see item #2 above 
digital file: see item #2 above 


16. 


storing information 
associated with said 
digital file in a secure 
database stored on said 
first device, 


associated with: see item #4 above 
digjtal file: see item #2 above 
secure database: see hem #4 above 


17. 


said in formati on including 
a first control; 


including: see hem #2 above 

control: Independent, special-purpose, Executable, which can execute only within a 
Secure Processing Environment Each VDE Control is a Component Assembly 
dedicated to a particular activity (e.g., editing, modifying another Control, a user- 
defined action, etc.), particular user^s), and particular Protected information, and 
whose satisfactory execution is necessary to Allowing that activity. Each separate 
information Access or Use is independently Controlled by independent VDE 
Control(s). Each VDE Control is assembled within a Secure Processing 
Environment from independently deliverable modular components (e.g., Load 
Modules or other Controls), dynamically in response to an information Access or Use 
Request The dynamic assembly of a Control is directed by a ''blueprint" Record (put 
in place by one or more VDE users) Containing control information identifying the 
exact modular code components to be assembled and executed to Govern this 

particular acuviiy on mio paiuwujuu luiujiuaiivu uy uiid pen u^umi uicr\5^. .C-aCD 

Control is independently assembled, loaded and delivered vis-a-vis other Controls. 
Control information and Controls are extensible and can be configured and modified 
by all users, and combined by all users with any other VDE Control information or 
Controls (including that provided by other users), subject only to "senior" user 
Controls. Users can assign control information (including alternative control 
information) and controls to an arbitrarily fine, user-defined Portion of the Protected 
information, such as a single paragraph of a document, as opposed to being limited to 
file-based Controls. VDE Controls reliably limit Use of the Protected information to 
Authorized activities and amounts. 


18. 


determining whether said 
digital file may be copied 
and stored on a second 
device based on said first 
control, 


determining whether said digital file may be copied and stored on a second device 


based on said first control: Determining whether said first Control, by itself. Allows 
this particular first device to perform both of the following actions on this particular 
Digital File: (1) Copy it and (2) store it (as opposed to a copy of it) on a second 
device, by executing the first VDE Control within VDE Secure Processing 
Environment(s). To the extent that either the Copy or store action is not determined 
by this step to be permissible, that action is prohibited and incapable of occurring, and 
no user, process or device can perform it on this Digital File. 

digital file: see item #2 above 

copied: see item #10 above 

control: see hem #17 above 


19. 


said determining step 
including identifying said 
second device and 


identifying said second device: Identifying a second device sufficiently to distinguish 
it from all other devices, by executing VDE Control(s) within VDE Secure 
Processing Environ ment(s). 
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determining whether said 
first control allows transfer 
of said copied file to said 
second device, 


whether said first control allows transfer of said copied file to said second device 


Whether the first Control, by itself, Allows the entire Digital File (which has been 
Copied at least once) (as opposed to the copy) to be moved to the identified second 
device. If not, that transfer is prohibited and incapable of occurring and no user, 
process or device can perform that action on this Digital File. 

Jdentifymfc/identify: To establish as being a particular instance of a person or thing 

• 

control: see item #17 above 
allow: see item #9 above 

copied file: A Digital File that has been Copied. The "copied file" is not the copy 
itself. A "copy" is what is formed by a Copying operation, and it may or may not be 
encrypted, ephemeral, usable, or accessible. . 


20. 


said determination based at 
least in part on the features 
present at the device to 
which said copied file is to 
be transferred; 


said determination based at least in part on the features present at the device: Basing 


the determination at least in part upon all actual, current features of the device (as 
opposed to previously determined, reported, or measured features) which might affect 
the device's ability to prevent Unauthorized Access to or Use of (or both) the Digital 
File. This determination is done without trusting either the device or any user of the 
device. A device Identifier such as a serial number is not a "feature present at the 
device." 

copied file: see item #19 above 


21. 


if said first control allows 
at least a portion of said 
digital file to be copied and 
stored on a second device, 


if said first control allows at least a portion of said digital file to be copied and stored 


on a second device: This "if condition creates two branches for the recited process, 
each of which must be performed. Each time the "if condition is met, all four of the 
later-recited actions (Copying, transferring, storing, Rendering) must occur. Each 
time it is not met, each of these four actions must be disabled and prohibited and 
incapable of occurring. 

This "if condition is met if and only if the first Control allows any Portion of the 
Digital File to be Copied and also allows that same Portion of the Digital File (as 
opposed to the copy) to be on any second device. This "if 1 condition is based entirely 
on the first Control and thus is met, as above, even if other VDE Controls prohibit 
those actions. 

This claim limitation's recitation of "said first control allows at least a portion" is 
inconsistent with the claim limitation "whether said digital file may be copied ... based 
on said first controL" 

control: see item #17 above 

allow: see item #9 above 

portion: see item #9 above 

digital file: see item #2 above 


22. 


copying at least a portion 
of said digital file; 


copying at least a portion of said digital file: see hem #10 above 


copying: see item #8 above 
portion: see item #9 above 
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digital file: see item #2 above 


23. 


transferring at least a 
portion of said digital file 
to a second device 
including a memory and 
an audio and/or video 
output; 


transferring at least a portion of said digital fiJe to a second device: see item #11 


above 

portion: see item #9 above 
digital file: see item #2 above 
memory: see item #3 above 


24. 


storing said digital file in 
said memory of said 
second device; and 


storing said digital file: see item #12 above 
digital file: see item #2 above 


25. 


rendering said digital file 
through said output. 


rendering: Playing content through an audio output (e.g., speakers) or displaying 
content on a video output (e.g., a screen). 

digital file: see item #2 above 

This claim limitation's recitation Of "said output" is inconsistent with the claim 
limitation "an audio and/or video output" 
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26. 


15. A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


27. 


receiving a digital file* 


receiving a digital file: see item #2 above This step must proceed in both- 
"Authentication branches" of the process (i.e., regardless of the outcome of the 
"Authentication" step). 

digital file: see item #2 above 


28. 


an authentication step 
comprising: 


an authentication step comprising: Authenticating the first device and/or user of the 
first device without relying on trusting either, by executing VDE Controls) within 
VDE Secure Processing Environments). 

authentication: To establish that the following asserted characteristics of something 
(e.g., a person, device, organization, document, file, etc.) are genuine: its Identity, its 
data integrity, (i.e., it has not been altered) and its origin integrity (i.e., its source and 
time of origination). 


29. 


accessing at least one 
identifier associated with a 
first device or with a user 
of said first device] and 


accessing at least one identifier associated with a first device or with a user of said first 


device: Securely Accessing at least one Identifier Associated With a single ("first") 
device or (as opposed to "and"*) with a single, current user of that device, by executing 
VDE Controls) within VDE Secure Processing Environment(s). One of the "at 
least one identifier" may be Associated With a first device while another of the "at . 
least one identifier" may be Associated With a user of said first device. 

Access (accessing): To satisfactorily perform the steps necessary to obtain something 
so that it can be Used in some manner (e.g., for information: copied, printed, 
decrypted, encrypted, saved, modified, observed, or moved, etc.). In VDE, access to 
protected information is achieved only through execution (within a Secure Processing 
Environment) of the VDE Control(s) assigned to the particular "access" request, 
satisfaction of all requirements imposed by such execution, and the Controlled 
Opening of the Secure Container Containing the information. 

identifier: Any text string used as a label naming an individual instance of what it 
Identifies. 

associated with: see item #4 above 


30. 


determining whether said 
identifier is associated 
with a device and/or user 
authorized to store said 
digital fde; 


determining whether said identifier is associated with a device and/or user authorized 


to store said digital file: For each accessed "at least one identifier," determining 
whether the device with which it is Associated is one on which the Digital File may 
be stored (by any user) and/or whether the user with which it is Associated is one who 
may store the Digital File (on any device), by executing VDE Controls) within VDE 
Secure Processing Environments). Each Identifier may be Associated With a 
device "and" a user, or with a device only, or with a user only. 

This claim limitation's recitation of "said identifier" is inconsistent with the claim 
limitation "at least one identifier." 

identifier: see item #29 above 

associated with: see item #4 above 

authorized: An action is permitted that otherwise cannot be taken by any user, 
process, or device. In VDE, an action is authorized only through execution of the 
applicable VDE Control(s) within a VDE Secure Processing Environment and 
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satisfaction of all requirements imposed by such execution. 

"not authorized": The action is prohibited and cannot be taken by any user, process, or 
device. 

digital file: see item #2 above 


31. 


storing said digital file in a 
first secure memory of said 
first device, but only if said 
device and/or user is so 
authorized, but not 
proceeding with said 
storing if said device 
and/or user is not 
authorized; 


storing said digital file in a first secure memory of said first device, but only if said 


device and/or user is so authorized, but not proceeding with said storing if said device 


and/or user is not authorized: This conditional step creates at least two 
"Authentication" branches for the recited process, each of which must be performed 
Each time the condition is met, the recited "storing" must occur. Each time it is not 
met, the recited "storing" must not occur. 

If "storing" proceeds, then: storing in a Secure Memory of the first device, the entire 
Digital File received in the "receiving" step, as opposed to a copy of the File or a 
Portion of the Digital File, by executing VDE Control(s) within VDE Secure 
Processing Environments). If "storing" does not proceed: then the Digital File is 
not stored in the Secure Memory of the first device, and is prevented from being 
stored anywhere on the first device. 

This limitation is internally inconsistent on the circumstances under which the storing 
proceeds or does not proceed. For example, the first ("only if) phrase requires that 
the storing step proceeds if the device is Authorized (and the user is not) while the 
second ("but not") phrase requires that the storing step not proceed if the device is 
Authorized (and the user is not). 

authorized: see item #30 above 

digital file: see item #2 above 

secure memory: see item #3 above 


32. 


storing information 
associated with said digital 
file in a secure database 
stored on said first device, 
said information including 
at least one control; 


storing information associated with said digital file in a secure database stored on said 


first device, said information including at least one control: Storing information in a 
Secure Database, the entirety of information (including the "at least one Control") 
being Associated With the Digital File (as opposed to the file's contents independent 
of the file), by executing VDE Control(s) within VDE Secure Processing 
Environments). 

This step must proceed in both "Authentication branches" of the process (i.e., 
regardless of the outcome of the "Authentication" step). 

associated with: see item #4 above 

digital file: see item #2 above 

secure database: see item #4 above 

control: see item #17 above 


33. 


determining whether said 
digital file may be copied 
and stored on a second 
device based on said at 
least one control; 


determining whether said digital file may be copied and stored on a second device 


based on said at least one control: see item #8 above 

This step must proceed in both "Authentication branches" of the process (i.e., 
regardless of the outcome of the "Authentication" step). 

digital file: see item #2 above 
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copied: see item #10 above 
control: see item #17 above 


34. 


if said at least one control 
allows at least a portion of 
said digital file to be 
copied and stored on a 
second device, 


if said at least one control allows at least a portion of said digital file to be copied and 


stored on a second device: see hem #9 above 

control: see item #17 above 

allow: see item #9 above 

portion: see item #9 above 

digital file: see item #2 above 

copied: see hem #10 above 


35. 


copying at least a portion 
of said digital file; 


copying at least a portion of said digital file: sec item #10 above 


copying: see item #8 above 
portion: sec item #9 above 
digital file: see item #2 above 


36. 


transferring at least a 
portion of said digital file 
to a second device 
including a memory and 
an audio and/or video 
output; 


transferring at least a portion of said digital file to a second device: see item #1 1 


above 

This step must proceed in both "Authentication branches" of the process (i.e., 
regardless of the outcome of the "Authentication" step). 

portion: see item #9 above 

digital file: see item #2 above 

memory: see item #3 above 


37. 


storing said digital file in 
said memory of said 
second device; and 


storing said digital file: see item #12 above 

This step must proceed in both "Authentication branches" of the process (i.e., 
regardless of the outcome of the "Authentication" step). 

This claim limitation's recitation of "storing said digital file" is inconsistent with the 
claim limitation "transferring at least a portion of said digital file.'* 

digital file: see item #2 above 

memory: see item #3 above 


38. 


rendering said digital file 
through said output 


rendering: see item #25 above 
digital file: see item #2 above 

This claim limitation's recitation of "said output* ' is inconsistent with the claim 
limitation "an audio and/or video output" 
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39. 


19. A method comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


40. 


receiving a digital JUe at a 
first device; 


receiving a digital file at a first device: see item #2 above 
digital file: see item #2 above 


.41. 


establishing 
communication between 
said first device and a 
clearinghouse located at a 
location remote from said 
first device; 


establishing communication between said first device and a clearinghouse located at a 


location remote from said first device: This claim language falls within 35 U.S.C. § 
31 2, ^ 6. It recites a step or result ("establishing communication") without reciting an 
action mat achieves that result The specification does not clearly link any particular 
action to this recited step Part of the recited function is performed by the Remote 
Procedure Call Manager 732 software of Rights Operating System 602 that controls 
I/O controller 660 and Communications Controller 666. Remote Procedure Call 
Manager handles all communication between VDE processes. 

The recited function is: creating and using a previously non-existent communications 
channel which is necessary and sufficient for exchanging information between the first 
device and a Clearinghouse. 

clearinghouse: A computer system that provides intermediate storing and forwarding 
services for both content and audit information, and which two or more parties trust to 
provide its services independently because it is operated under constraint of VDE 
Security. "Audit information" means all information created, stored, or reported in 
connection with an "auditing" process. "Auditing" means tracking, metering and 
reporting the usage of particular information or a particular appliance. 


42. 


said first device obtaining 
authorization information 
including a key from said 
clearinghouse; 


authorization information: "Control information" identifying the exact modular code 
components to be assembled into a VDE Control and executed within a Secure 
Processing Environment to permit a particular activity that otherwise cannot be taken 
(i.e., is prohibited). ("Control information" is information which Identifies the exact 
modular code components and data which must be assembled and executed to Control 
a particular activity on particular information, of arbitrary, user-defined granularity, by 
particular user(s)). 

key: A bit sequence used and needed by a cryptographic algorithm to encrypt a block 
of plain text or to decrypt a block of cipher text. A Key is different from a key seed or 
other information from which the actual encryption and/or decryption Key is 
constructed, derived, or otherwise identified. In symmetric key cryptography, the 
same key is used for both encryption and decryption. In asymmetric or "public key" 
cryptography, two related keys are used; a block of text encrypted by one of the two 
keys (e.g., the "public key") can be decrypted only by the corresponding key (e.g., the 
"private key"). 

clearinghouse: see item #41 above 


43. 


said first device using said 
authorization information 
to gain access to or make 
at least one use of said first 
digital file, 


using said authorization information to gain access to or make at least one use of said 


first digital file: A user, process or device uses all of said Authorization Information 
in connection with executing VDE Control(s) within VDE Secure Processing 
Environ m en t(s) to gain Access to or (as opposed to "and") make at least one Use of 
the Digital File received in the "receiving" step. Without using such Authorization 
Information, no Access to or Use of the file is Allowed. 

authorization information: see item #42 above 

access: see item #29 above 
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use: To use information is to perform some action on it or with it (e.g., copying, 
printing, decrypting, encrypting, saving, modifying, observing, or moving, etc.). In 
VDE, information Use is Allowed only through execution of the applicable VDE 
Control(s) and satisfaction of all requirements imposed by such execution. 

digital file: sec item #2 above 


44. 


including using said key to 
decrypt at least a portion 
cf said first digital file; and 


• tn riwTvnt at least a Dortion of said first digital file* The "at 


least one use of said digital file" must encompass decrypting at least a Portion of the 
Digital File using the Key. 

portion: see item #9 above 

digital file: see item #2 above 


45. 


receiving a first control 
from said clearinghouse at 
said first device; 


receiving a first control from said clearinghouse at said first device: This claim 


language fells within 35 U.S.C. § 1 12, 1 6. It recites a step or result (deceiving") 
without reciting an action that achieves that result The specification does not clearly 
link any particular action to mis recited step. Part of the recited function is performed 
by Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 
(particularly "SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: obtaining a VDE Secure Container encapsulating a 
first Control, authenticating the first device in accordance with VDE Controls 
Associated With the Secure Container, and accepting the Secure Container. 

control: see item #17 above 

clearinghouse: see item #41 above 


46. 


storing said first digital file 
in a memory of said first 
device; 


$tonng saio nrst oigixaj me in a iucuiui y ui xnu m ^ ucyi^c, ^iuiiu^ iu a iucmvi j wi 


the first device, the entire Digital File (as opposed to a Portion thereof) received in 
the "receiving" step, by executing VDE Control(s) within VDE Secure Processing 
Environments). 

digital file: see item #2 above 

memory: see item #3 above 


47. 


using said first control to 
determine whether said 
first digital file may be 
copied and stored on a 
second device '; 


using said first control to determine whether said first digital file may be copied and 


stored on a second device: Determining whether the first Control, by itself, allows 
this particular first device to perform bom of the following actions on this particular 
Digital File: (1) Copy it and (2) store it (as opposed to a copy of it) on a second 
device, by executing the first VDE Control within VDE Secure Processing 
Environment(s). To the extent that either the Copy or store action is not determined 
by this step to be permissible, that action is prohibited and incapable of occurring, and 
no user, process or device can perform it on this Digital File. 

control: see item #17 above 

digital file: see item #2 above 

copied: see item #10 above 


48. 


if said first control allows 
at least a portion of said 


if said first control allows at least a portion of said first digital file to be copied and 


stored on a second device: see item #9 above 
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first digital file to be 
copied and stored on a 
second device, 


This claim limitation's recitation of "first control allows at least a portion of said first 
digital file" is inconsistent with the claim limitation "whether said first digital fiJe may 
be copied ... on a second device.** 

control: see item #17 above 

allow: see item #9 above 

portion: see item #9 above 

digital file: see hem #2 above 

copied : see item # 1 0 above 


49. 


copying at least a portion 
of said first digital file; 


copying at least a portion of said first digital file: see hem #10 above 


copying: see item #8 above 
portion: see item #9 above 
digital file: see item #2 above 


50. 


trans/erring at least a 
portion of said first digital 
file to a second device 
including a memory and an 
audio and/or video output; 


transferring at least a portion of said first digital file to a second device including a 


memory and an audio and/or video output: see item #1 1 above 
portion: see item #9 above 
digital file: see item #2 above 
memory: see item #3 above 


51. 


storing said first digital file 
portion in said memory of 
said second device; and 


storing said first digital file portion: Storing the "at least a portion** which was 
transferred to the second device, of the Digital File received in the "receiving" step (as 
opposed to a copy of the Digital File). 

digital file: see hem #2 above 

portion: see item #9 above 

memory: see item #3 above 




rciJUviiiig ooiu iudi uigiLAi 

file portion through said 
output 


r^nrif*rtno* qpp itpm above 

portion: see item #9 above 
digital file: see item #2 above 

This claim limitation's recitation of "said output** is inconsistent with the claim 
limitation "an audio and/or video output** 
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53. 


2. A system including: 


Claim as a wnoie. ine system is a vur,. (bee item tor Microsoft s 
construction of VDE.) 


54. 


a first apparatus including, 




55. 


user controls, 


user controls: Controls created, modified, or selected by a user to Control a particular 
Use or Access by the user to particular Protected information. 

control: see item #17 above 


56. 


a communications port, 




57. 


a processor, 




58. 


a memory storing: 


memory: see item #3 above 


59. 


a first secure container 


secure container A VDE Secure Container is a self-contained, self-protecting data 
structure which (a) encapsulates information of arbitrary size, type, format, and 
organization, including other, nested, containers, (b) cryptographically protects that 
information from all unauthorized Access and Use, (c) provides encrypted storage 
management functions for that information, such as hiding the physical storage 
locatjon(s) of its protected contents, (d) permits the Association of itself or its contents 
with Controls and Control information Governing Access to and Use thereof, and (e) 
prevents such Use or Access (as opposed to merely preventing decryption) until it is 
"opened." A Secure Container can be opened only as expressly Allowed by the 
associated VDE Controls), only within a Secure Processing Environment, and only 
through decryption of its encrypted header. A Secure Container is not directly 
accessible to any n on- VDE or user calling process. All such calls are intercepted by 
VDE. The creator of a Secure Container can assign (or allow others to assign) 
control information to any arbitrary Portion of a Secure Container's contents, or to 
an empty Secure Container (to Govern the later addition of contents to the container, 
and Access to or Use of those contents). A container is not a Secure Container 
merely because its contents are encrypted and signed. A Secure Container is itself 
Secure. AU VDE-Protected information (including protected content, information 
about content usage, content-control information, Controls, and Load Modules) is 
encapsulated within a Secure Container whenever stored outside a Secure 
Processing Environment or Secure Database. 


60. 


containing a governed 
item, 


containing: Physically (directly) storing within, as opposed to Addressing. 

governed item: Information, of arbitrarily fine granularity, whose Access and Use by 
any user, process, or device is Controlled. 


61. 


the first secure container 
governed item being at 
least in part encrypted; 


secure container: see item #59 above 
governed item: see item #60 above 


62. 


the first secure container 
having been received from 
a second apparatus; 


the first secure container having been received from a second apparatus: The "first 


secure contain er" must Identify the single apparatus from which it was received, and 
that apparatus must be different from the first apparatus. Alternatively, if the Court 
does not construe this claim language as requiring the "first secure container" to 
identify the single apparatus from which it was received: This claim language has no 
patentable weight. It recites a step taken in the creation of the recited system, not a 
structural or functional characteristic of the system. One studying a particular system 
(as opposed to the process by which it was created) to compare it to the claimed 
system, could not distinguish a Secure Container received from another apparatus 
from, e.g., a Secure Container created on the first apparatus, and thus could not 
determine whether this step was satisfied. 
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Receiving the Secure Container includes Authenticating the intended recipient in 
accordance with VDE Controls Associated With the Secure Container. The first 
Secure Container may be received as bar codes in a fax transmission, or filled ovals 
on a form delivered through physical mail. 

secure container: see item #59 above 


63. 


a first secure container 
rule 


secure container rule: A Rule that Governs a Secure Container Governed Item. 

rule: A lexical statement that states a condition under which Access to or Use of 
VDE-Protected data will be Allowed by a VDE ControL A rule may specify how, 
when, where, and by whom a particular activity on particular information is to be 
Allowed. 


64. 


at least in part governing 
an aspect of access to or 
use of said first secure 
container governed item, 


an aspect of access to or use of. Any one (as opposed to more than one) aspect of any 
Access to or (as opposed to "and") Use by any and all processes, users, and devices. 

governing: see Control (v.) hem #7 above 

aspect* An aspect of an environment is a persistent element or property of that 
environment that can be used to distinguish it from other environments. 

access: see item #29 above 

use: To use information is to perform some action on it or with it (e.g., copying, 
printing, decrypting, encrypting, saving, modifying, observing, or moving, etc.). In 
VDE, information Use is Allowed only through execution of the applicable VDE 
Control(s) and satisfaction of all requirements imposed by such execution. 


65. 


the first secure container 
rule, the first secure 
container rule having been 
received from a third 
apparatus different from 
said second apparatus; and 


the first secure container rule having been received from a third apparatus different 


from said second apparatus: The "first secure container rule" must have been received 
encapsulated within a VDE Secure Container, and the intended recipient must have 
been Authenticated in accordance with VDE Controls Associated With the Secure 
Container, and the "first secure container rule" must have been accepted by the first 
apparatus. The "first secure container rule" must identify the single apparatus from 
which it was received, and that apparatus must be different from the first apparatus. 
Alternatively, if the Court does not construe this claim language as requiring the "first 
secure container" to identify the single apparatus from which it was received: This 
claim language has no patentable weight It recites a step taken in the creation of the 
recited system, not a structural or functional characteristic of the system. One studying 
a particular system (as opposed to the process by which it was created) to compare it to 
the claimed system, could not distinguish a Secure Container Rule received from 
another apparatus from, e.g., a Secure Container Rule created on the first apparatus, 
and thus could not determine whether this step was satisfied. 

secure container rule: see item #63 above f 


66. 


hardware or software used 
for receiving and opening 

secure cuniuincrs, 


hardware or software used for receiving and opening secure containers, 


receiving: This claim language falls within 35 U.S.C. § 1 12, \ 6. It recites an 

"Opening") without reciting particular structure that performs that function. The 
specification does not clearly link any particular structure to this recited function. Part 
of the recited function is performed by Communications Controller 666, I/O Controller 
600, SPE 503/SPU 500 (particularly "SPU Encryption/Decryption Engine 522" and 
NVRAM 534b). 

The recited function requires: the same single logical piece of either hardware or 
software (as opposed to both) must be capable of both receiving and Opening Secure 
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Containers, this deceiving'* including authenticating the intended recipient in 
accordance with VDE Controls Associated With the Secure Container, and this 
"Opening" performed by executing VDE Control(s) within VDE Secure Processing 
Environments). 

opening secure containers! Establishing the requisites needed to attempt to access the 
contents of a Secure Container. Opening is a necessary but insufficient step before 
the contents of a Secure Container may be copied, decrypted, read, manipulated, or 
otherwise Used, or Accessed. No process, user, or device may Access or Use the 
contents of a Secure Container without first opening that Secure Container. A 
Secure Container may be opened only through execution of the assigned VDE 
Control(s) within a VDE Secure Processing Environment and satisfaction of all 
requirements imposed by such execution. 


67. 


said secure containers 
each including the capacity 
to contain a governed 
item, a secure container 
rule being associated with 
each of said secure 
containers; 


said secure containers each including the capacity to contain a governed item, a secure 


container rule being associated with each of said secure containers: Each Secure 


Container referred to in the phrase "hardware or software used for receiving and 
opening secure containers" must have the capacity to Contain a Governed Item, and 
must have Associated With it a Secure Container Rule. By "each secure container 
referred to in the phase is meant each Secure Container which the "hardware or 
software used for receiving and opening secure containers" is capable of receiving and 
Opening. The Secure Container Rule is Associated With the Secure Container 
itself as opposed to a Governed Item. 

secure container see #59 above 

capacity: Available storage space that is still capable of allocation. For example, a 
650 MB blank CD, after sealing, has zero capacity because no new materia] may be 
stored within it 

contain: see Hem #60 above 

governed item: see item #60 above 

secure container rule: see item #63 above 

associated with: see item #4 above 


68. 


a protected processing 
environment at least in 
part protecting information 
contained in said protected 
processing environment 
from tampering by a user 
of said first apparatus, 


protected processing environment at least in part protecting information contained in 


said protected processing environment from tampering by a user of said first 


apparatus: A single VDE Secure Processing Environment, in addition to and not 
within the first apparatus, actively Preventing (not merely being capable of 
Preventing, and not merely resisting) any "user" of the first apparatus from 
Tampering with any and all information encapsulated by the Secure Processing 
Environment (as opposed to Tampering with the Secure Processing Environment 
itself). Other components may or may not provide part of this Protecting function. 
The Protecting function is provided by use of the disclosed "Component Assembly" 
(VDE Controls), "Secure Container,* 1 "Protected Processing Environment," "object 
registration " and other mechanisms of the purported "VDE" "invention" for allegedly 
individually ensuring the "Access Control" "handcuffs" between specific "Controls." 
specific "objects" (and their content at an arbitrary granular level), and specific 
"users." 

protected processing environment: A uniquely identifiable, self-contained computing 
base trusted by all VDE nodes to protect the availability, secrecy, integrity and 
authenticity of all information identified in the February, 1995, patent application as 
being protected, and to guarantee that such information will be accessed and used only 
as expressly authorized by VDE Controls. At most VDE nodes, the Protected 
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Processing Environment is a Secure Processing Environment which is formed by, 
and requires, a hardware Tamper Resistant Barrier encapsulating a special-purpose 
Secure Processing Unit having a processor and internal secure Memory. 
("Encapsulated" means hidden within an object so mat it is not directly accessible but 
rather is accessible only through the object's restrictive interface.) The barrier prevents 
all unauthorized (intentional or accidental) interference, removal, observation, and Use 
of the information and processes within it, by all parties (including all users of the 
device in which the Protected Processing Environment resides), except as expressly 
authorized by VDE Controls. A Protected Processing Environment is under 
Control of Controls and control information provided by one or more parties, rather 
than being under Control of the appliance's users or programs. Where a VDE node is 
an established financial Clearinghouse, or other such facility employing physical 
facility and user-identity Authentication Security procedures trusted by all VDE 
nodes, and the VDE node does not Access or use VDE-protected information, or 
assign VDE control information, then the Protected Processing Environment at that 
VDE node may instead be formed by a general-purpose CPU that executes all VDE 
"security" processes in Protected (privileged) mode. 

A Protected Processing Environment requires more than just verifying the integrity 
of Digitally Signed Executable programming prior to execution of the programming; 
or concealment of the program, associated data, and execution of the program code; or 
use of a password as its protection mechanism. 

protecting: Maintaining the Security of. 

contain (contained): see item #60 above 


69. 


said protected processing 
environment including 
hardware or software used 
for applying said first 
secure container rule and 
a second secure container 
rule in combination to at 
least in part govern at least 
one aspect of access to or 
use of a governed item 
contained in a secure 
container* and 


hardware or software used for applying said first secure container rule and a second 


secure container rule in combination to at least in part govern at least one aspect of 


access to or use of a governed item contained in a secure container: This claim 


language falls within 35 U.S.C. § 1 12, \ 6. It recites an undefined mechanism 
('"hardware or software") for performing a function ("applying ... in combination' 7 ) 
without reciting particular structure that performs that function. The specification does 
not clearly link any particular structure to this recited function. Part of the recited 
function is performed by Communications Controller 666, I/O Controller 600, SPE 
503/SPU 500 (particularly "SPU Encryption/Decryption Engine 522" and NVRAM 
534b). 

The recited function requires: a single logical piece of either hardware or software (as 
opposed to both) to apply the two separate Rules in combination by assembling and 
executing a single Control, and to Govern any one or more aspects of any Access or 
Use by any process or user or device, of a Governed Item Contained in a Secure 
Container (which may or may not be any "Secure Container" recited earlier). Other 
components may or may not provide part of the' Governing function. This "hardware 
or software" performs its functions by executing VDE Control(s) within VDE Secure 
Processing Environ m en t(s). 

including: see item #2 above 

aspect: see item #64 above 

access: see item #29 above 

contain (contained): see hem #60 above 

secure container rule: see item #63 above 

secure container: see #59 above 
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eovemed item: sec item #60 above 


70. 


hardware or software used 
for transmission of secure 
containers to other 
apparatuses or for the 
receipt of secure containers 
from other apparatuses. 


hardware or software used for transmission of secure containers to other apparatuses or 


for the receipt of secure containers from other apparatuses: This claim language falls 


within 35 U.S.C. § 1 12, ^ 6. It recites an undefined mechanism ("hardware or 
software") for performing a function (e.g., •'transmission") without reciting particular 
structure that performs that function. The specification does not clearly link any 
particular structure to this recited function. Part of the recited function is performed by 
Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 (particularly 
"SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: a single logical piece of either hardware or software (as 
opposed to both) is capable of both transmission and receipt of Secure Containers, 
mis receipt including Authenticating the intended recipient in accordance with VDE 
Controls Associated With the Secure Container. This "hardware or software" is 
separate from and in addition to the first apparatus, the recited "protected processing 

Hi v ironTrl CT1L. 3Qu LUC J CCllCU JJcUtiWoJC \Ji >v/l i ~ oj. u ujtu i\Ji itttivuig cuiu u|/tiiujg 

secure containers." The transmission and receipt of the Secure Containers may be 
via bar codes in a fax transmission, or filled ovals on a form delivered through 
physical maiL This "hardware or software" performs hs functions by executing VDE 
Control(s) within VDE Secure Processing Environ ment(s). 

secure container see #59 above 
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71. 


1 . A security method 
comprising: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


72. 


digitally signing a first 
load module with a first 
digital signature 
designating the first load 
module for use by a first 
device class; 


diEitally sieninE a first load module with a first digital signature designating the fust 


load module for use bv a first device class: Digitally Signing a particular ("first") 
Load Module by using a first Digital Signature as the signature Key, which signing 
indicates to any and all devices in the first device class that the sign or authorized and 
restricted this Load Module for Use by that device. No VDE device can perform any 
execution of any Load Module without such authorization. The method ensures that 
the Load Module cannot execute in a particular device class and ensures that no 
device in that device class has the Key(s) necessary to verify the Digital Signature. 

digital signature: 

digital signature: A computationally unforgeable string of characters (e.g., bits) 
generated by a cryptographic operation on a block of data using some secret The 
string can be generated only by an Entity that knows the secret, and hence provides 
evidence that the Entity must have generated it 

digitally signing: Creating a Digital Signature using a secret Key. (In symmetric key 
cryptography, a "secret key" is a Key that is known only to the sender and recipient 
In asymmetric key cryptography, a "secret key" is the private Key of a public/private 
key pair, in which the two keys are related uniquely by a predetermined mathematical 
relationship such mat it is computationally infeasible to determine one from the other.) 

load module: An Executable, modular unit of machine code (which may include data) 
suitable for loading into Memory for execution by a processor. A Load Module is 
encrypted (when not within a secure processing unit) and has an Identifier that a 
calling process must provide to be able to use the Load Module. A Load Module is 
combinable with other Load Modules, and associated data, to form Executable 
Component Assemblies. A Load Module can execute only in a VDE Protected 
Processing Environment. Library routines are not Load Modules and dynamic link 
libraries are not Load Modules. 

designating: Designating something for a particular Use means specifying it for and 
restricting it to that Use. 

use: see item #64 above 

device class: The generic name for a group of device types. For example, all display 
stations belong to the same device class. A device class is different from a device 
type. A device type is composed of all devices that share a common model number or 
family (e.g. IBM 4331 printers). 


73. 


digitally signing a second 
load module with a second 
digital signature different 
from the first digital 
signature, the second 
digital signature 
designating the second 
load module for use by a 
second device class haying 
at least one of tamper 
resistance and security 
level different from the at 
least one of tamper 
resistance and security 


digitally signing a second load module with a second digital signature different from 


the first digital signature, the second digital signature designating the second load 


module for use by a second device class having at least one of tamper resistance and 


security level different from the at least one of tamper resistance and security level of 


the first device class: Digitally Signing a different ("second") Load Module by using 
a different ("second* 7 ) Digital Signature as the signature Key, which signing indicates 
to any and all devices in tie second device class that the signor authorized and 
restricted this Load Module for Use by that device. No VDE device can perform any 
execution of any Load Module without such authorization. The method ensures that 
the Load Module cannot execute in a particular device class and ensures that no 
device in that device class has the Key(s) necessary to verify the Digital Signature. 
All devices in the first device class have the same persistent (not just occasional) and 
identified level of Tamper Resistance and the same persistent and identified Level of 
Security. All devices in the second device class have the same persistent and | 
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level of the first device 
class; 


identified level of Tamper Resistance and same persistent and identified Level of 
Security. The identified level of Tamper Resistance or identified Level of Security 
(or both) for the first device class, is greater than or less than the identified Level Of 
Tamper Resistance or identified Level of Security for the second device class. 

digital signature: see item #72 above 

designating: see hem #72 above 

device class: see item #72 above 

load module: see item #72 above 

use: see item #64. 

level of security: An ordered measure of the degree of trustworthiness. The "security 
lever is persistent unless expressly noted to exist only some of the time. Also, the 
combination of a hierarchical classification and a set of nonhierarchical categories that 
represents the sensitivity of an object or the clearance of a subject For example, 
Unclassified, Confidential, Secret, and Top Secret are hierarchical classifications, 
whereas NATO and NOFORN are non-hierarchical categories defined by the 
Department of Defense Trusted Computing guidelines. 

tamper resistance: The ability of a Tamper Resistant Barrier to prevent Access, 
observation, and interference with information or processing encapsulated by the 
barrier. 


74. 


distributing the first load 
module for use by at least 
one device in the first 
device class; and 


distributing the first load module for use by at least one device in the first device class' 


The first Load Module, Digitally Signed as indicated above, is transmitted to at least 
one device in the first device class. 

load module: see item #72 above 

device class: see item #72 above 


75. 


distributing the second 
load module for use by at 
least one device in the 
second device class. 


distributing the second load module for use by at least one device in the second device 


class: The second Load Module, Digitally Signed as indicated above, is transmitted 
to at least one device in the second device class. 

load module: see item #72 above 

device class: see item #72 above 
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76. 


34. A protected processing 
environment comprising: 


Claim as a Whole: The "Protected Processing Environment/ 1 is part of and within 
VDE. (See item #93 for Microsoft's construction of VDE.) 


77. 


a first tamper resistant 
barrier having a first 
security level, 


tamper resistant barrier: An active device that encapsulates and separates a Protected 
Processing Environment from the rest of the world It prevents information and 
processes within the Protected Processing Environment from being observed, 
interfered with, and leaving except under appropriate conditions ensuring Security. It 
also Controls externa] access to the encapsulated Secure resources, processes and 
information. A Tamper Resistant Barrier is capable of destroying protected 
information in response to Tampering attempts. 

security level: see item #73 above 


78. 


a first secure eiecution 
space, and 


secure execution space: An allocated Portion of the Secure Memory within a special- 
purpose secure processing unit which is isolated from the rest of the world, and 
protected from observation by (and encapsulated within) a Tamper Resistant Barrier 
and protected from alteration by the processor. The processor cryptographically 
verifies the integrity of al! code loaded from Secure Memory prior to execution, 
executes only the code that the processor has authenticated for its use, and is otherwise 
Secure. 


79. 


at least one arrangement 
within the first tamper 
resistant barrier mat 


arrangement within the first tamper resistant barrier: An organization of hardware and 


software which arrangement is located and executed wholly within the first Tamper 
Resistant Barrier. 

arrangement: A collection of mines that have been arranged: In context- the term 
requires an organization of hardware and software and data, or hardware and software, 
or hardware and data. 

tamper resistant barrier: see item #72 above 


80. 


prevents the first secure 
execution space from 
executing the same 
executable accessed by a 
second secure execution 
space having a second 
tamper resistant barrier 
with a second security 
level different from the 
first security level 


prevents the first secure execution space from executing the same executable accessed 


by a second secure execution space having a second tamper resistant barrier with a 


second security level different from the first security level: "A second secure 


execution space having a second tamper resistant barrier with a second security level 
different from the first security level": a second Secure Execution Space (different 
from the first Secure Execution Space) is part of the Protected Processing 
Environment, and has a Tamper Resistant Barrier (different from the first Tamper 
Resistant Barrier) that has a persistent (not just occasional) Security Level greater 
than or less than the first persistent Security Level. 

"The same executable accessed by": the same Executable (as opposed to, e.g., two 
copies of the same Executable) is simultaneously accessed by both the first Secure 
Execution Space and the second Secure Execution Space. 

"Prevents the first secure execution space from executing": the arrangement Prevents 
ujc nrsi secure .execution space, oincrwise capaoie or executing toe iLxecutable, 
from executing any part of the Executable (e.g., on behalf of any user, process, or 
device). 

prevents: Imposes an active restraint on an action such that it cannot occur bv anv 
means or under any circumstances. 

access (accessed): see item #29 above 

security level: see item #73 above 
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81. 


58. A method of 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


82. 


creating a first secure 
container, said method 
including the following 
steps; 


creating a first secure container This preamble language is a claim limitation. 

Completely forming (as opposed to defining) the Secure Container, within a VDE 
Secure Processing Environ m en t(s). 

secure container see item #59 above 


83. 


accessing a descriptive 
data structure, said 
descriptive data structure 
including or addressing 
organization information 
at least in part describing 
a required or desired 
organization of a content 
section of said first secure 
container, and metadata 
information at least in part 
specifying at least one step 
required or desired in 
creation of said first 
secure container; 


including or addressing organization information at least in part describing a required 


or desired organization of a content section of said first secure container . and 


metadata information at least in part specifying at least one step required or desired in 


creation of said first secure container: The same single Descriptive Data Structure 
must either Contain within its confines or Address both Organization Information 
and Metadata Information. 

Both the "desired** organization of the content section and also the "desired 0 * step, 
occur after the Descriptive Data Structure is accessed, not before. 

The Metadata Information explicitly dentifies a procedure ("step") that must be 
executed in creation of the first Secure Container, as opposed to Iidentifying a 
procedure to be run if later required or desired, as opposed to Identifying a result or a 
Data Item to be included in the first Secure Container, and as opposed to identifying 
information which operates as a parameter for a procedure. 

required: A condition without which an action cannot occur. A required condition acts 
prospectively - it does not apply to a description created at or after the creation of the 
object to which it applies. 

access (accessing): sec item #29 above 

descriptive data structure: A machine-readable data structure (e.g., text file, template, 
etc.) Containing or Addressing descriptive information (e.g., Metadata, shorthand 
abstract representation, integrity constraints, Rules, instructions, etc.) about (1) the 
layout, generic format, attributes, or hierarchical structure of the contents section of 
one or a family of other data structure(s) (e.g., a rights management data structure), (2) 
the operations or processes used to create or Use such other data structures), and/or 
(3) the consequences of such operations. The Descriptive Data Structure is capable 
of being used to create or handle (e.g., read, locate information within, request 
information from, and/or manipulate) the other data structures). The Descriptive 
Data Structure is not Associated With the other data structures) and does not 
Contain or specify its particular contents (e.g., "Yankees Win the Pennant!"). 

addressing: Referring to something by the specific location where it is stored, without 
directly storing it The location is explicitly identified by its name or number. 

Organization (organization, organization information): The manner in which data is 
represented and laid out in physical storage. For example, for data organized as 
records: the field hierarchy, order, type and size. 

organize: Representing and laying out data in a particular manner in physical storage. 

metadata information: Information that describes one or more attributes of other data, 
and/or the processes used to create and/or Use that data. For example, Metadata 
Information may describe the following attributes of other data: its meaning, 
representation in storage, what it is used for and by whom, context, quality and 
condition, location, ownership, or its data elements or their attributes (name, size, data 
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type, etc.) 


84. 


using said descriptive 
data structure to organize 
said first secure container 
contents; 


descriptive data structure: sec hem #83 above 
including: see item #2 above 
organize: see item #83 above 


85. 


using said metadata 
information to at least in 
part determine specific 
information required to be 
included in said first 
secure container contents; 
and 


at least in part determine specific information required to be included in said first 


secure container contents: The Metadata Information is used to determine the specific 
value, not merely the kind, of at least some of the information that must be placed 
inside the Secure Container. 

The use of the Metadata Information actively requires the Secure Container 
creation steps to add this specific information to the first Secure Container, as 
opposed to the specific information being within the Secure Container for some other 
reason. 

required: see hem #83 above 
including (included): see item #2 above 


86. 


generating or identifying 
at least one rule designed 
to control at least one 
aspect of access to or use 
of at least a portion of said 
first secure container 
contents 


generating or identifying at least one rule designed to control at least one aspect of 


access to or use of at least a portion of said first secure container contents: 


Generating or Identifying Rule designed for these particular Secure Container 
contents, which is used (by VDE Controls) executing in VDE Secure Processing 
Environments)) to limit Access to or Use of at least a Portion of the contents of the 
first Secure Container (by all users, processes, and devices). Without compliance 
with this Rule, no process, user, or device is able to take the Controlled aspect of the 
Controlled Access or Use action. 

The Rule is generated or Identified based at least in part on the Descriptive Data 
Structure. 

generating: Producing, 
identifying: see item # 1 9 above 
rule: see item #63 above 
control: see item #17 above 
aspect: see hern #64 above 
access: see item #29 above 
use: see item #43 above 
portion: see item #9 above 
secure container see hem #59 above 
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87. 


1 . A method for using al 
least one 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


88. 


resource processed in a 
secure operating 
environment at a first 
appliance, said method 
comprising: 


resource processed in a secure operating environment at a first appliance: This 


preamble language is a claim limitation. A shared facility, required by a job or task, of 
a first appliance's Secure Operating Environment which is processed within that 
Secure Operating Environment's special-purpose. Secure Processing Unit A Secure 
Processing Unit is a special -purpose unit isolated from the rest of the world in which a 
hardware Tamper Resistant Barrier encapsulates a processor and internal Secure 
Memory. The Tamper Resistant Barrier prevents all unauthorized interference, 
removal, observation, and Use of the information and processes within it The 
processor cryptographicalJy verifies the integrity of all code loaded from the Secure 
Memory prior to execution, executes only the code that the processor has 
authenticated for its Use, and is otherwise Secure. 

resource processed: A record containing control information, which record is stored 
and acted upon within a processing environment 

secure operating environment: Same as Secure Processing Environment 


89. 


securely receiving a first 
entity f s control at said first 
appliance, said first entity 
being located remotely from 
said operating 
environment and said first 
appliance; 


securely receiving a first entity's control at said first appliance: This claim language 


falls within 35 U.S.C. § 1 12, H 6. It recites a step or result ("Securely receiving") 
without reciting an action that achieves mat result The specification does not clearly 
link any particular action to this recited step. Part of the recited function is performed 
by Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 
(particularly M SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: A first appliance obtaining a VDE Secure Container 
encapsulating a Control created, selected, or modified by a first entity, as part of a 
communication encrypted on the communications level, authenticating the first 
appliance in accordance with VDE Controls Associated With the Secure Container, 
and accepting the Secure Container. 

- 

entity: Any person or organization.. 

entity's control: Control created, modified or selected bv anv person or organization 
to Control a particular Use of or Access to particular Protected information by a 
particular user(s). 

control: see item #17 above 

operating environment see item #88 above 


90. 


securely receiving a second 
entity 's control at said first 
appliance, said second 
entity being located 
remotely from said 
operating environment and 
said first appliance, said 
second entity being different 
from said first entity; and 


securely receiving a second entity's control at said first appliance: This claim laneuaee 


falls within 35 U.S.C. § 1 12, 6. It recites a step or result ("securely receiving") 
without reciting an action that achieves that result The specification does not clearly 
link any particular action to this recited step. Part of the reched function is performed 
by Communications Controller 666, I/O Controller 600, SPE 503/SPU 500 
(particularly "SPU Encryption/Decryption Engine 522" and NVRAM 534b). 

The recited function requires: A first appliance obtaining a VDE Secure Container 
encapsulating a Control created, selected, or modified by a second entity, as part of a 
communication encrypted on the communications level, Authenticating the first 
appliance in accordance with VDE Controls Associated With the Secure Container, 
and accepting the Secure Container. 
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entity's control: see item #89 above 
control: see item #17 above 


91. 


securely processing a data 
item at said first appliance, 
using at least one resource, 
including 


securely processing a data item at said first appliance, using at least one resource. 


including ; Performing an operation, inside the special-purpose Secure Processing 
Unit of the first appliance, on a Data Item inside the Secure Processing Unit. The 
operation cannot be observed from outside the Secure Processing Unit and is 
performed only after the integrity of the program code for performing such operation is 
cryptographically verified. A Secure Processing Unit is a special-purpose unit isolated 
from the rest of the world in which a hardware Tamper Resistant Barrier 
encapsulates a processor and internal Secure Memory. The Tamper Resistant 
Barrier prevents all unauthorized interference, removal, observation, and Use of the 
information and processes within it The processor cryptographically verifies the 
integrity of all code loaded from the Secure Memory prior to execution, executes only 
the code that the processor has authenticated for its Use, and is otherwise Secure. 

control: see item #17 above 

data item: An individual unit of digital information representing a single value, such 
as that stored in a field of a larger Record in a database. It is the smallest useful unit 
of named information in the system. 

resource: A shared facility of a computing system or operating system, which is 
required by a job or task, and is processed by a processing unit 


92. 


securely applying, at said 
first appliance through use 
of said at least one resource 
said first entity's control 
and said second entity's 
control to govern use of 
said data item. 


securely applying, at said first appliance through use of said at least one resource said 


first entity's control and said second entity's control to govern use of said data hem: 


Processing the resource (component part of a first appliance *s Secure Operating 
Environment) within the Secure Operating Environment's special-purpose Secure 
Processing Unit to execute the first Control and second Control in combination within 
the Secure Processing Unit This execution of these Controls Governs all Use of the 
Data Item by all users, processes, and devices. The processing of the Resource and 
execution of the Controls cannot be observed from outside the Secure Processing Unit 
and is performed only after the integrity of the Resource and Controls is 
cryptographically verified. A Secure Processing Unit is a special-purpose unit isolated 
from the rest of the world in which a hardware Tamper Resistant Barrier 
encapsulates a processor and internal Secure Memory. The Tamper Resistant 
Barrier prevents all unauthorized interference, removal, observation, and Use of the 
information and processes within it The processor cryptographically verifies the 
integrity of all code loaded from the Secure Memory prior to execution, executes only 
the code that the processor has authenticated for its Use, and is otherwise Secure. 

control: see item #1 7 above 

data item: see item #91 above 

resource: see item #91 above 

use: see item #43 above 

govern: see Control (v.) item #7 above 



EXHIBIT A TO JOINT CLAIM CONSTRUCTION STATEMENT 
Page 27 of 3 7 



'900 Asserted Claim: 155 



'900 Claim 155 



MS Construction 



93. 



155. A virtual 
distribution environment 
comprising 



Claim as a Whole: The 'Virtual distribution environment" is VDE. 



VDE/VirtuaJ Distribution Environment: 



Data Security and Commerce World : InterTrust's February 13, 1995, patent 
application described as its "invention" a Virtual Distribution Environment ( M VDE 
invention") for Securing, administering, and auditing all Security and commerce 
digital information within its multi-node world (community). VDE guarantees to all 
VDE "participants" identified in the patent application that it will limit all Access to 
and Use (Le., interaction) of such information to Authorized activities and amounts, 
will ensure any requested reporting of and payment for such Use, and will maintain the 
availability, secrecy, integrity, non-repudiation and authenticity of all such information 
present at any of its nodes (including Protected content, information about content 
usage, and content Controls.). 

VDE is Secure against at least the threats identified in the Feburary 1995, patent 
application to this availability (no user may delete the information without 
Authorization), secrecy (neither available nor disclosed to unauthorized persons or 
processes), integrity (neither intentional nor accidental alteration), non-repudiation ( 
neither the receiver can disavow the receipt of a message nor can the sender disavow 
the origination of that message) and authenticity (asserted characteristics are genuine). 
VDE further provides and requires the components and capabilities described below. 
Anything less than or different than this is not VDE or the described "invention." 

Secure Processing Environment At each node where VDE-Protected information is 
Accessed, Used, or assigned control information, VDE requires a Secure Processing 
Environment. A Secure Processing Environment is uniquely identifiable, self- 
contained, non-circuinventable, and trusted by all other VDE nodes to protect the 
availability, secrecy, integrity and authenticity of all information identified in the 
patent application as being Protected, and to guarantee that such information will be 
Accessed and Used only as expressly Authorized by the associated VDE Controls, 
and to guarantee that all requested reporting of and payments for protected information 
use will be made. A Secure Processing Environment is formed by, and requires, a 
Secure Processing Unit having a hardware Tamper Resistant Barrier encapsulating a 
processor and internal Secure Memory. The Tamper Resistant Barrier prevents all 
unauthorized interference, removal, observation, and other Use of the information and 
processes within it. 

VDE Controls : VDE Allows Access to or Use of Protected information and 
processes only through execution of (and satisfaction of the requirements imposed by) 
independent, special-purpose, Executable VDE Control(s). Each VDE Control is a 
Component Assembly dedicated to a particular activity (e.g., editing, modifying 
another Control, a user-defined action, etc.), particular user(s), and particular 
protected information. Each separate information Access or Use is independently 
Controlled by independent VDE Control(s). A VDE Control can execute only 
within a Secure Processing Environment. Each VDE Control is assembled, within a 
Secure Processing Environment, from independently deliverable modular 
components (e.g., Load Modules or other Controls), dynamically in response to an 
information Access or Use request The dynamic assembly of a Control is directed by 
a "blueprint" Record (put in place by one or more VDE users) Containing control 
information identifying the exact modular code components to be assembled and 
executed to Govern this particular activity on this particular information by this 
particular user(s). Each Control is independently assembled, loaded and delivered 
vis-a-vis other Controls. Control information and Controls are extensible and can be 
configured and modified by all users, and combined by all users with any other VDE 
control information or Controls (including that provided by other users), subject only 
to "senior" user Controls. Users can assign control information and Controls to all of 
or an arbitrarily fine, user-defined Portion of the Protected information, such as a 
single paragraph of a document, as opposed to being limited to file-based controls. 



EXHIBIT A TO JOINT CLAIM CONSTRUCTION STATEMENT 
Page 28 of 37 





4 900 Claim 155 


MS Construction 






VDE Controls reliably limit Access and Use of the protected information to 
Authorized activities and amounts. 

VDE Secure Container: A VDE Secure Container is a self-contained self-protecting 
data structure which (a) encapsulates information of arbitrary size, type, format, and 
organization, including other, nested, containers, (b) cryptographically protects that 
information from all unauthorized Access and Use, (c) provides encrypted storage- 
management functions for mat information, such as hiding the physical storage 
location(s) of its Protected contents, (d) permits the Association of itself and/or all of 
or arbitrary Portions of its contents with Controls and control information Governing 
Access to and Use thereof, and (e) Prevents such Use or Access (as opposed to merely 
Preventing decryption) until it is opened A Secure Container Can Be opened only 
as expressly Allowed by the associated VDE Controls), only within a Secure 
Processing Environment, and only through decryption of its encrypted header. A 
Secure Container is not directly accessible to any non-VDE calling process. All such 
calls are intercepted by VDE. The creator of a Secure Container can assign (or allow 
others to assign) control information to all of or any arbitrary Portion of a Secure 
Container's contents, or to an empty Secure Container (to Govern the addition of 
contents to the Secure Container, and Access to or Use of those contents). A 
container is not a Secure Container merely because its contents are encrypted and 
signed. All VDE-Protected information (including protected content, information 
about content usage, and Controls) is encapsulated within a Secure Container 
whenever stored outside a Secure Processing Environment or Secure Database. 

Non-Circumventable: VDE is non-circumventable (sequestered). It intercepts all 
attempts by any and all users, processes, and devices, to Access or Use, such as 
observing, mterfering with, or removing) Protected information, and Prevents all 
such attempts other than as Allowed by execution of (and satisfaction of all 
requirements imposed by) Associated VDE Controls within Secure Processing 
Environment(s). 

Peer to Peer VDE is peer-to-peer. Each VDE node has the innate ability to perform 
any role identified in the patent application (e.g., end user, content packager, 
distributor, Clearinghouse, etc.), and can protect information flowing in any direction 
between any nodes. VDE is not client-server. It does not pre-designate and restrict 
one or more nodes to act solely as a "server" (a provider of information (e.g., authored 
content, control informanon, etc.) to other nodes) or "client" (a requestor of such 
information). All types of protected-content transactions can proceed without 
requiring interaction with any server. 

Comprehensive Ranee of Functions: VDE comprehensively Governs all Security 
and commerce activities identified in the patent application, including (a) metering, 
budgeting, monitoring, reporting, and auditing information usage, (b) billing and 
paving for information usage, and (c) negotiating, signing and enforcing contracts that 
establish users' rights to Access or Use information. 

User-Configurable: The specific protections Governing specific VDE-Protected 
information are specified, modified, and negotiated by VDE's users. For example, 
VDE enables a consumer to place limits on the nature of content that may be accessed 
at her node (e.g., no R-rated material) or the amount of money she can spend on 
viewing certain content, both subject only to other users' senior Controls. 

General Purpose; Universal: VDE is universal as opposed to being limited to or 
requiring any particular type of appliance, information, or commerce model. It is a 
single, unified standard and environment within which an unlimited range of electronic 
rights protection, data Security, electronic currency, and banking applications can run. 

Flexible: VDE is more flexible than traditional information Security and commerce 
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systems. For example, VDE allows consumers to pay for only tbe user-defined 
Portion of information that tbe user actually uses, and to pay only in proportion to any 
quantifiable VDE event (e.g., for only the number of paragraphs displayed from a 
book), and allows editing the content in VDE containers while maintaining its 
Security. 


94. 


a first host processing 
environment comprising 


a first host processing environment comprising: A Host Processing Environment 


that encompasses the recited computer hardware (central processing unit, main 
Memory, and mass storage) and certain VDE Protected Processing Environment 
software loaded in that main Memory and executing in that central processing unit, 
but does not encompass software, such as tbe recited Tamper Resistant Software, 
which is stored in mass storage and not executing. 

host processing environment: A processing environment within a VDE node which is 
not a Secure Processing Environment A "host processing environment" may either 
be "secure" or "not secure." A "secure host processing environment" is a self- 
contained Protected Processing Environment, formed by loaded, Executable 
programming executing on a general purpose CPU (not a Secure Processing Unit ) 
running in protected (privileged) mode. A "non-secure host processing environment" 
is formed by loaded, Executable programming executing on a general purpose CPU 
(not a Secure Processing Unit) running in user mode. 


95. 


a central processing unit; 




96. 


main memory operatively 
connected to said central 
processing unit; 


memory: see item #3 above 


97. 


mass storage operatively 
connected to said central 
processing unit and said 
main memory; 


memory: see item #3 above 


98. 


said mass storage storing 
tamper resistant software 


said mass storage storing tamper resistant software: The Tamper Resistant Software 


is physically stored within, as opposed to being merely Addressed by, the mass 
storage. 

tamper resistant software: Software that is encapsulated and executed wholly within a 
Tamper Resistant Barrier. 


99. 


designed to be loaded into 
said main memory and 
executed by said central 
processing unit, 


designed to be loaded into said main memory and executed by said central processing 


unit The Tamper Resistant Software is capable of being loaded into only said main 
Memory and is capable of being executed only by said central processing unit 


100. 


said tamper resistant 
software comprising: 
machine check 
programming which 
derives information from 
one or more aspects of said 
host processing 
environment, one or more 
storage locations storing 
said information; 


said tamper resistant software comprising: machine check programming which derives 


information from one or more aspects of said host processing environment, one or 


more storage locations storing said information: The Tamper Resistant Software 
within said mass storage includes one or more storage locations within it. These 
storage locations are designated to store, and must store, information Derived by the 
Machine Check Programming, and must not store any other information. 

machine check programming: Executable programming that when executed checks a 
machine and generates a unique "machine signature" which distinguishes the physical 
machine from all other machines. This machine check programming code sometimes \ 
is invoked by integrity programming. 

host processing environment: see item #94 above 



EXHIBIT A TO JOINT CLAIM CONSTRUCTION STATEMENT 
Page 30 of 37 





'900 Claim 155 


MS Construction 






derives: To retrieve from a specified source, 
aspect see hem #64 above 


10) 


. derives information from 
one or more aspects of said 
host processing 
environment 


derives information from one or more aspects of said host processing environment: 


Deriving from the Host Processing Environment hardware one or more values that 
uniquely and persistently Identify the Host Processing Environment and distinguish 
it from other Host Processing Environments. 

The "one or more aspects of said host processing environment" are persistent elements 
or properties of the Host Processing Environment itself mat are capable of being 
used to distinguish it from other environments, as opposed to, e.g., data or programs 
stored within the mass storage or main Memory, or processes executing within the 
Host Processing Environment 

host see item #94 above 
derives: see item #100 above 
aspect see item #64 above 


102 


one or more storage 
locations storing said 
information; 


One or more storage locations: One or more logical storage locations within the 
Tamper Resistant Software storing only information Derived by the Machine Check 
Programming. 


103. 


integrity programming 
which causes said machine 
check programming to 
derive said information, 
compares said information 
to information previously 
stored in said one or more 
storage locations > and 


integrity programming: Executable programming that when executed checks and 
reports on the integrity of a device or process. "Integrity" means the property that 
information has not been altered either intentionally or accidentally. 

information previously stored in said one or more storage locations: Any information 


once stored in said "one or more storage locations storing said information," but not 
stored therein when the recited comparison occurs. 

information previously stored: Information that once was stored but is no longer 
stored. 

derive: see item #100 above 

compares: A processor operation that evaluates two quantities and sets one of three 
flag conditions as a result of the comparison - greater than, less than, or equal to. 


104. 


generates an indication 
based on the result of said 
comparison) and 


generates an indication based on the result of said comparison: Producing an 


indication based on the result of the "compares" sup. The "indication" need not be 
displayed to a user. The indication is based solely on that result There are only two 
possible indications: exact match found or exact match not found. 

comparison: see item #103 above 


105. 


programming which takes 
one or more actions based 
on the state of said 
indication; 


programming which takes one or more actions based on the state of said indication: 


Executable programming code that is a part of the Tamper Resistant Software, when 
executed, and not a part of the Host Processing Environment. Whenever the recited 
indication is generated, no matter what it indicates, this code (executing on the CPU 
for which it was designed and loaded in the Memory for which it was designed) must 
take an action, or more than one action. The particular action(s) taken must be based 
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solely on the state of that indication. 


106. 


said one or more actions 
including at least 
temporarily halting further 
processing. 


at least temporarily halting further processing: The action(s) taken by this 
programming must encompass Halting or temporarily Halting all further processing 
of the Host Processing Environment and any processes running within h. 

halting: Stopping execution of a running (executing) process unconditionally (Le_ 
without providing any specific condition for resumption). For example, executing an 
instruction known as a breakpoint hah instruction." 
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10' 


I 8. A process comprising 
the foUowing steps: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft's construction of VDE.) 


10S 


accessing a first record 
containing information 
directly or indirectly 
identifying one or more 
elements of a first 
component assembly, 


record; A data structure that is a collection of fields (elements), each with its own 
name and type. Unlike an array, whose elements are accessed using an index, the 
elements of a record are accessed by name. A record can be accessed as a collective 
unit of elements, or the elements can be accessed individually. 

identifying: see item #19 above 

access: see item #29 above 

comparison: see item #103 above 

component assembly: A cohesive Executable component created by a channel which 
binds or links together two or more independently deliverable Load Modules, and 
Associated data. A Component Assembly is assembled, and executes, only within a 
VDE Secure Processing Environment A Component Assembly is assembled 
uynanucauy in response 10, anu 10 &crvjcc, a parucujar contcni-reiaiea acnviiy (e.g., a 
particular Use request). Each VDE Component Assembly is assigned and dedicated 
to a particular activity, particular user(sX and particular Protected information. Each 
Component Assembly is independently assembled, loadable and deliverable vis-a-vis 
other Component Assemblies. The dynamic assembly of a Component Assembly is 
directed by a "blueprint" Record Containing Control information for this particular 
activity on this particular information by this particular user(s). Component 
Assemblies are extensible and can be configured and reconfigured (modified) by all 
users, and combined by all users with other Component Assemblies, subject only to 
other users 1 "senior** Controls. 


109 


at least one of said 
elements including at least 
some extrcuuiujc 
programming, 


executable programming: 

XL A CC U UiU 1 C . f\ UUDC51YC bCIiCS \Jl iildUXJIXlC LtKIC IliiU UCUUIli 1X1 a I Ol 11131 mai Call DC 

loaded into Memory and run (executed) by a connected processor. 

executable nropramminp* A enhesive ^erie^ of machine code incmirtnrvn* rnmnri«ino 

a computer program, in a format that can be loaded into Memory and run (executed) 
by a connected processor. (A "computer program" is a complete series of definitions 
and instructions that when executed on a computer will perform a required or 
requested task.) 

including: see item #2 above 


110 


at least one of said 
elements constituting a 
load module, 


load module; see item #72 above 


111. 


said load module 
Including executable 
programming and a 

header; 


load module: see item #72 above 

including: see item #2 above 

executable programming: see item #109 above 


112 


said header including an 
execution space identifier 
identifying at least one 
aspect of an execution 
space required for use 


identifying at least one aspect of an execution space required for use and/or execution 


of the load module: Defining fulrv. without reference to anv other information, at least 
one of the persistent elements or properties (aspects) (that are capable of being used to 
distinguish it from other environments of an Execution Space) that are Required for 
any Use, and/or for any execution, of the Load Module. An Execution Space without 
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and/or execution of the 
load module associated 
with said header; 


all of those Required aspects is incapable of making any such execution and/or other 
Use (e.g., Copying, displaying, printing) of the Load Module, 
including: see item #2 above 

execution space identifier: A value that uniquely identifies a particular execution 
space. 

execution space: A processor-addressable physical Memory into which data and 
Executable code can be loaded, which is assigned to a single executing process while 
mat process is actively executing. Memory holding "swapped out" processes or 
Execu tables is not part of an "execution space.** 

load module: see item 1 10 above 

required: see item #83 above 

aspect: see item #64 above 

associated with: see item #4 above 

identifying: see item #19 above 


113 


said execution space 
identifier provides the 
capability for 
distinguishing between 
execution spaces providing 
a higher level of security 
and execution spaces 
providing a lower level of 
security; 


said execution space identifier provides the capability for distinguishing between 


execution spaces providing a higher level of security and execution spaces providing a 


lower level of security: The Execution Space Identifier, by itself, provides the Load 
Module with the capability of determining the persistent Level of Security of any 
Execution Space in which it is loaded, and of distinguishing between any two 
Execution Spaces based on their respective, determined persistent (not just occasional) 
"Levels Of Security.** This capability extends to at least two Execution Spaces 
providing a higher Level of Security and at least two Execution Spaces providing a 
lower Level of Security. 

execution space identifier see item #112 above 

execution space: see item #112 above 

level of security: see Security Level, item #73 above 


114, 


using said information to 
identify and locate said 
one or more elements; 


identify: see item #19 above 


115, 


accessing said located one 
or more elements; 


access: see item #29 above 


116, 


securely assembling said 
one or more elements to 
form at least a portion of 
said first component 
assembly; 


securely assembling: Securely (1) linking or binding plural distinct elements together 
in a particular manner (specified by authenticated assembly instructions) into a single 
cohesive Executable unit so the elements can directly reference each other element 
within the resulting assembly, within a VDE Secure Processing Environment, (2) 
validating and verifying the authenticity and integrity of each element (e.g., that it has 
not been modified from or substituted for the correct element) immediately prior to 
bindino it into the assemblv and ensurine that the elements are linked together 
only in ways that are intended by the VDE participants who created the elements 
and/or specified the assembly thereof. 

component assembly: see item #108 above 


117, 


executing at least some of 
said executable 
programming; and 


executable programming: see item #109 above 
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118 


checking said record for 
validity prior to performing 
said executing step. 


checking said record for validity prior to performing said executing step: Before 


executing any Executable Programming encompassed within any element which is 
directly or indirectly iden tilled by any information Contained within the first 
Record, evaluating, within a VDE Secure Processing Environment, the values and 
formats of all data fields within the first Record and conimning that they have 
legitimate values and formats. 

record: see hern #108 above 

validity: The state in which authenticated data conforms to predetermined 
completeness and consistency parameters. 
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119 


35. A process comprising 
the following steps: 


Claim as a whole: The recited method is performed within a VDE. (See item #93 for 
Microsoft' s construction of VDE.) 


120 


at a first processing 
environment receiving a 
first record from a second 
processing environment 
remote from said first 
processing environment; 


processing environment: A standardized, well-defined, self-contained, computing 
base, formed by hardware and executing code, mat provides an M interface*' and set of 
resources which can support different applications, on different types of hardware 
platforms. In the context of claim 35 of the '912 patent: a Secure Processing 
Environment 

record: see hem #108 above 


121 


said first record being 
received in a secure 
container; 


received in a secure container. The first Processing Environment obtained a VDE 
Secure Container encapsulating the Record inside, and authenticated the intended 
recipient in accordance with VDE Controls Associated With the Secure Container, 
and accepted the Secure Container. 

secure container see item #59 above 


122 


said first record containing 
identification information 
directly or indirectly 
identifying one or more 
elements of a first 
component assembly; 


containing: see item #60 above 
identifying: see item #19 above 
component assembly: see item #108 above 


123. 


at least one of said 
elements including at least 
some executable 
programming ; 


including: see item #2 above 


124. 


said component assembly 
allowing access to or use 

of specified information; 


said component assembly allowing access to or use of specified information: The 


Component Assembly identifies specific information (the specific value, not merely 
the kind of information) over which it (by itself and with no other information), 
executing in a VDE Secure Processing Environment, Allows Access or Use (as 
opposed to Access "and" Use). Unless Allowed by the Component Assembly, no 
user, process, or device is able to Access or Use the specified information. The 
Component Assembly is Associated With and dedicated to this particular specified 
information. 

component assembly: see item #108 above 
allow (allowing): see item #10 above 
access: see item #29 above 


125. 


said secure container also 
including a first of said 
elements; 


secure container: see item #59 above 
including: see item #2 above 


326. 


accessing said first record; 


access: see item #29 above 
record: see item #108 above 


127. 


using said identification 
information to identify and 
locate said one or more 
elements; 


identify: see item #19 above 
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locating a second of said ' 
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processing environment 
located remotely from said 
first processing 
environment and said 
second processing 
environment; 


processing environment: see item #120 above 


129 


accessing said located one 
or more elements; 


access (accessing): see item #29 above 


130 


said element accessing step 
including retrieving said 
second element from said 
third processing 
environment; 




131, 


securely assembling said 
one or more elements to 
form at least a portion of 
said first component 
assembly specified by said 
first record; and 


said first component assembly specified bv said first record: The first Record bv itself 


Contains sufficient information to unambiguously Identify the assembled 
Component Assembly, including all of its elements. 

This limitation is inconsistent with the recitation "first record containing identification 
information directly or indirectly identifying one or more elements of first component 
assembly.'* 

securely assembling: see item #1 16 above 
component assembly: see item #108 above 
record: see item #108 above 


132. 


executing at least some of 
said executable 
programming, 


executable programming: see item #309 above 


133. 


said executing step taking 
place at said first 
processing environment. 


processing environment: see item #120 above 
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Claim Term / Phrase 


Agreed Construction 


Entity 
891.1 


Any person or organization. 


Generating 
861.58 


Producing. 


Govern, governed, governing 
891.1, 683.2 


See Control (v.). 


Metadata information 
861.58 


Information_that describes one or more attributes of other data, and/or the processes 
used to create and/or use that data. For example, metadata information may describe 
the following attributes of other data: its meaning, representation in storage, what it is 
used for and by whom, context, quality and condition, location, ownership, or its data 
elements or their attributes (name, size, data type, etc.) 


Rendering 

193.11, 193.15, 193.39 


in the context of 193.1 1, 15 and 19: Playing content through an audio output (e.g., 
speakers) or displaying content on a video output (e.g., a screen). 


Secure container rule 
683.2 


A Rule that Governs a Secure Container Governed Item. 


Security 
721.1, 721.34 


See Secure. 


Tampering 

683.2, 721.1,721.34,900.155 


Using (e.g., observing or altering) in any unauthorized manner, or interfering with 
authorized use. 


"said mass storage, storing tamper 
resistant software" 

900.155 


The Tamper Resistant Software is physically stored within, as opposed to being merely 
Addressed by, the mass storage. 


"including using said key to 
decrypt at least a portion of said 
first digital file" 

193.19 


The "at least one use of said digital file" must encompass decrypting at least a Portion 
of the Digital File using the Key. 



Notation: 

Each term is followed by a list of the claims in which it appears (e.g., "193.15" means claim 15 from the '193 patent). 

1 1 93 patent = U.S. Patent No. 6,253, 1 93 

'683 patent = U.S. Patent No. 6,185,683 

'721 patent = U.S. Patent No. 6,157,721 

l 891 patent = U.S. Patent No. 5,982,891 

l 861 patent = U.S. Patent No. 5,920,861 

l 912 patent = U.S. Patent No. 5,917,912 

l 900 patent = U.S. Patent No. 5,892,900 
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PLR 4-3(b) - InterTrust's Construction of Disputed Terms & Phrases 



Claim Term / Phrase 


InterTrust Construction 


access, accessed, access to, 
accessing 

193.15, 193.19,912.8,912.35, 

oOJ.Do, VOJ.Z, //J 


To obtain something so it can be used. 


addressing 

BO J. Do 


Referring by specific location or individual name to something without directly storing 
it. 


allowing, allows 

912.35, 193.1, 193.11, 193.15, 
193.19 


Normal English: p^rrnitting, permits; letting happen, lets happen. 


arrangement 
721.34 


Normal English: a collection of things that have been arranged. In context, the term 
can apply to an organization of hardware and/or software and/or data. 


aspect 

900.155,912.8, 861.58, 683.2 


Feature, element, property or state. 


associated with 

912.8, 193.1, 193.11, 193.15, 
683.2 


Having a relationship with. 


authentication 
193.15 


Identifying (e.g., a person, device, organization, document, file, etc.). Includes 
uniquely identifying or identifying as a member of a group. 


authorization information, 
authorized, not authorized 

193.15, 193.19 


Authorize: Normal English: permit. 

Authorization Information: Information (e.g., a key) received if an action is 
Authorized. 

Information: nonaccidental signal(s) or characters) used in a computer or 
communication system. Information includes programs and also includes data. 


budget control; budget 
193.1 


Budget: Information specifying a limitation on usage. See Authorization Information 
for the definition of Information. 

Budget control: The term is explicitly defined in the claim as a Control "including a 
budget specifying the number of copies which can be made of said digital file." 


can be 
193.1 


Normal English: the specified act is able or authorized to be carried out. In context, 
this means the number of copies allowed to be made. 


capacity 
683.2 


Normal English: "ability," or "capability." 


clearinghouse 
193.19 


A provider of financial and/or adrnini strati ve services for a number of Entities; or an 
entity responsible for the collection, maintenance, and/or distribution of materials, 
information, licenses, etc. 
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Claim Term / Phrase 


InterTrust Construction 


compares, comparison 
900.155 


Normal English: 

Compares: examines for the purpose of noting similarities and differences. 
Comparison: the act of comparing. 


component assembly 
912.8,91235 


Components are code and/or data elements that are independently deliverable. A 
Component Assembly is two or more components associated together. Component 
Assemblies are utilized to perform operating system and/or applications tasks. j 


contain, contained, containing 
683.2, 912.8, 912.35 


Normal English: to have within or to hold. In the context of an element contained 
within a data structure (e.g., a secure container), the contained element may be either 
directly within the container or the container may hold a reference indicating where the 
element may be found. 


control (n.) 

193.1, 193.11, 193.15, 193.19, 
891.1 


Information and/or prograinrning Governing operations on or use of Resources (e.g., 
content) including (a) permitted, required or prevented operations, (b) the nature or 
extent of such operations or (c) the consequences of such operations. 


controlling, control (v.) 
861.58,193.1 


Normal English: to exercise authoritative or dominating influence over; direct. 


copied file 
193.11 


A Digital File that has been Copied and is usable. 


copy, copied, copying 

193.1, 193.11, 193.15, 193.19 


Reproduce, reproduced, reproducing. The reproduction must be usable, may 
incorporate all of the original item or only some of it, and may involve some changes 
to the item as long as the essential nature of the content remains unchanged. 


copy control 
193.1 


A Control used to determine whether a Digital File may be Copied and the Copied 
Digital File stored on a second device. 


data item 
891.1 


A unit of digital information. 


derive, derives. 
900.155 


Normal English: obtain, receive or arrive at through a process of reasoning or 
deduction. In the context of computer operations, the "process of reasoning or 
cjcuutuon consumies operations cameu oui oy ine computer. 


descriptive data structure 
861 58 


Machine-readable description of the layout and/or contents of a rights management 
data structure (e.g., a Secure Container). 


designating 
721.1 


Normal English: indicating, specifying, pointing out or characterizing. 


device class 
721.1 


A group of devices which share at least one attribute. 


digital file 

193.1, 193.11, 193.15, 193.19 


A named collection of digital information 


digital signature, digitally signing 
721.1 


Digital signature: A digital value, verifiable with a Key, that can be used to determine 
the source and/or integrity of a signed item (e.g., a file, program, etc.). 

Digitally signing is the process of creating a digital signature. 
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Claim Term / Phrase . 


InterTrust Construction 


entity's control 
891.1 


Entity's Control: Control belonging to or coming from an Entity. See list of Agreed 
Constructions for definition of Enrity. 


environment 

912.35, 900.155,891.1,683.2, 
721.34 


Capabilities available to a program running on a computer or other device or to the 
user of a computer or other device. Depending on the context, the environment may 
be in a single device (e.g., a personal computer) or may be spread among multiple 
devices (e.g., a network). 


executable programming, 
executable 

912.8,912.35, 721.34 


A computer program that can be run, directly or through interpretation. 


execution space, execution space 
identifier 

912.8 


Execution space: Resource which can be used for execution of a program or process. 

Execution space identifier: Information Identifying an Execution Space. See 
Authorization Information for definition of Information. 


governed item 
683.2 


Governed Item: an item that is Governed. See list of Agreed Constructions for the 
definition of Governed. 


halting 
900.155 


Normal English: suspending. 


host processing environment 
900.155 


This term is explicitly defined in the claim and therefore needs no additional 
definition. It consists of those elements listed in the claim. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: a Protected Processing 
Environment incorporating software-based Security. 


identifier, identify, identifying 

193.13, 193.15,912.8,912.35, 
861.58 


Identifier: Information used to Identify something or someone (e.g., a password). 

Identify/identifying: Normal English: To establish/establishing the identity of or to 
ascertain/ascertaining the origin, nature, or definitive characteristics of; includes 
identifying as an individual or as a member of a group. 


including 

193.1 (at 320:63, and 321:3); 
193.19 (at 324:15); 

912.8 (at 327:36, 39, and 41); 
912.35 (330:35 and 39); 
861.58 (at 26:53 and 63); and 

683.2 (at 63:60). 


Normal English: Depending on the context, this means: pan of or storing within, as 
opposed to Addressing. 


information previously stored 
900.155 


Normal English: Information stored at an earlier time. See Authorization Information 
for the definition of Information. 


integrity programming 
900.155 


i xiio icrm is ruiiy ueiinea in me ciaim, wjiji.ii spccuics uic Mcpj> uic liiicgniy 
programming must perform. Integrity programming is prograrnming that performs the 
recited steps. The term therefore needs no additional definition. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: prograniming that 
checks the integrity of a Host Processing Environment. 
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Claim Term /Phrase 


InterTrust Construction 


key 
193.19 


. Information used to encrypt, decrypt, sign or verify other information. 


load module 
912.8,721.1 


An Executable unit of code designed to be loaded into memory and executed, plus 
associated data. 


machine check prograrnming 
900.155 


Prograrnming that checks a host processing environment and derives inforrnation from 
an Aspect of the Host Processing Environment. 


opening secure containers 
683.2 


Providing Access to the contents of a Secure Container (e.g., by decrypting the 
contents, if the contents are encrypted). 


operating environment 
891.1 


Environment in which programs function. 


organization, organization 

information or^aniz^ 

861.58 


In the context of organization of a Secure Container, these terms describe contents 

TPnnirpH or oV^ir^H /inrlnn'incr Information hcpH to rat<*oftn7P tVi^c#» nrmtA-nteV 

Information used to specify a particular location for content. See Authorization 
Information for the definition of Information. 


portion 

193.1, 193.11, 193.15, 193.19, 
912.8,912.35,861.58 


Normal English: a part of a whole. The presence of a "portion" does not exclude the 
presence of the whole (e.g., storage of an entire file necessarily includes storage of any 
portions into which that file may be subdivided). 


prevents 
721.34 


Normal English: keeps from happening. 


processing environment 
912.35, 900.155, 721:34, 683.2 


Processing: manipulating data. 

Processing Environment: An Environment used for Processing. A Processing 
Environment may be made up of one device or of more than one device linked 
together. 


protected processing environment 
721.34, 683.2 


Processing Environment in which processing and/or data is at least in part protected 
from Tampering. The level of protection can vary, depending on the threat. 


protecting 
683.2 . 


Normal English: keeping from being damaged, attacked, stolen or injured. 


record (n.) 
912.8,912.35 


Collection of related items of data treated as a unit. 


required 
912.8, 861.58 


Normal English: a thing that is required is a thing that is obligatory or demanded. 


resource processed 

on 1 t 

891 .1 


Resource: computer software, computer hardware, data, data structure or information. 

Resource processed: a Resource subject to being Processed, i.e., computer software, 
data, data structure or information. See Processing Environment for a definition of 
Processed. 


rule 

861.58, 683.2 


See Control. 
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Claim Term / Phrase 


InterTrust Construction 


secure 

193.1, 193.11, 193.15,912.35, 
861.58, 891.1,683.2, 721.34 


One or more mechanisms are employed to prevent, detect or discourage misuse of or 
interference with information or processes. Such mechanisms may include 
concealment, Tamper Resistance, Authentication and access control. Concealment 
means that it is difficult to read information (for example, programs may be 
encrypted). Tamper Resistance and Authentication are separately defined. Access 
control means that Access to information or processes is limited on the basis of 
authorization. Security is not absolute, but is designed to be sufficient for a particular 
purpose. 


secure container 
912.35,861.58,683.2 


Container: Digital File Containing linked and/or embedded items. 
Secure Container: A Container that is Secure. 


secure container governed item 
683.2 


Information and/or programming Contained in a Secure Container and Governed by an 
associated Secure Container Rule. 


secure database 
193.1, 193.11, 193.15 


Database: an organized collection of information. 
Secure Database: Database that is Secure. 


secure execution space 
721.34 


Execution Space that is Secure. 


secure memory, memory 
193.1, 193.11, 193.15 


Memory: A medium in which data (including executable instructions) may be stored 
and from which it may be retrieved. "Memory" includes "virtual memory/* 

Secure Memory: Memory in which Information is handled in a Secure manner. See 
Authorization Information for the definition of Information. 


secure operating environment, 
said operating environment 

891.1 


An Operating Environment that is Secure. 


securely applying 
891.1 


Requiring that one or more Controls be complied with before content may be used. 
The operation of requiring that the Control(s) be complied with must be carried out in 
a Secure manner. 


securely assembling 
912.8,912.35 


Associating two or more Components together to form a Component Assembly, in a 
Secure manner. See Component Assembly for the definition of Component. 


securely processing 
891.1 


Processing occurring in a Secure manner. See Processing Environment for the 
definition of Processing. 


securely receiving 
891.1 


Receiving has its normal English meaning: acquiring or getting. 
Securely Receiving means receipt occurring in a Secure manner. 


security level, level of security 
721.3; 721.34, 912.8 


Information that can be used to determine how Secure something is (e.g., a device, 
Tamper Resistant Barrier or Execution Space). 


tamper resistance 
721.3, 721.34, 900.155 


Making Tampering more difficult and/or allowing detection of Tampering. 


tamper resistant barrier 
721.34 


Hardware and/or software that provides Tamper Resistance. 
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Claim Term / Phrase 


Inter Trust Construction 


tamper resistarjt software 
900.155 


Software designed to make it more difficult to Tamper with the software and/or allow 
detection of tampering. 


use 

912.8,912.35, 861.58, 193.19, 
891.1,683.2, 721.1 


Normal English: to put into service or apply for a purpose, to employ. 


user controls 
683.2 


Hardware feature of an apparatus allowing a user to operate the apparatus (e.g., a 
keyboard). 


validity 
912.8 


A property of something (e.g., a Record) indicating that it is appropriate for use. 


virtual distribution environment 
900.155 


This term is contained in the nreamble of the claim and shmilH nnt he rl^fi-n^rl ntV»#>r 
than as requiring the individual claim elements. 

Without waiving its position that ho separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: secure, distributed 
electronic transaction management and rights protection system for controlling the 
distribution and/or other usage of electronically provided and/or stored information. 


'193:1 


The claim contains no requirement of a VDE. 


receiving a digital file including 
music 


See Receiving a digital file (193.1 1). This phrase is interpreted the same, except that 
the file includes music. 


a budget specifying the number of 
copies which can be made of said 
digital file 


Normal English, incorporating the separately defined terms: a Budget stating the 
number of Copies that Can Be made of the Digital File referred to earlier in the claim 


controlling the copies made of 
said digital file 


The nature of this operation is further defined in later claim elements. In context, the 
Copy Control determines the conditions under which a Digital File may be Copied and 
the Copied File stored on a second device. 


j deteiTnining whether said digital 
file may be copied and stored on a 
second device based on at least 
said copy control 


Normal English, incorporating the separately defined terms: Using the Copy Control 
in deciding whether the Digital File referred to earlier in the claim may be Copied and 
the Copied Digital File stored on a second device. 


if said copy control allows at least 
a portion of said digital- file to be 
copied and stored on a second 
device 


Normal English: a "yes" result is received in the step Determining whether said digital 
file may be copied and stored on a second device based on at least said copy control 
(193.1). 


copying at least a portion of said 
digital file 


Normal English, incorporating the separately defined terms: Copying at least a Portion 
of the Digital File referred to earlier in the claim. 


transferring at least a portion of 
said digital file to a second device 


Normal English, incorporating the separately defined terms: at least a Portion of the 
Copied Digital File is sent to a second device. 


storing said digital file 


Normal English: that which was transferred in the transferring step is stored. 


'193:11 


The claim contains no requirement of a VDE. 


receiving a digital file 


Normal English, incorporating the separately defined term: a Digital File is obtained. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 
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Claim Term / Phrase 


InterTrust Construction 




Claim elements specifying the act of receiving a file, or the act of establishing 
communications, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 
obtaining a file or communicating through telecommunications links, satellite 
transmissions, physical exchange of media, network transmissions, etc. 


determining whether said digital 
file may be copied and stored on a 
second device based on said first 
control 


Normal English, incorporating the separately defined terms: Using the Control to 
decide whether the Digital File may be Copied and the Copied Digital File stored on 
the second device. 


identifying said second device 


Normal English, incorporating the separately defined term: the second device is J 
Identified. 


whether said first control allows 
transfer of said copied file to said 
second device 


Normal English, incorporating the separately defined terms: Using the first Control to 
decide if the Copied Digital File may be sent to the second device. | 


said deteirnination based at least 
in part on the features present at 
the device 


Normal English: the decision referred to earlier in the claim is based at least in part on 
characteristics of the second device. 


if said first control allows at least 
a portion of said digital file to be 
copied and stored on a second 
device 


See If said copy control allows at least a portion of said digital file to be copied and 
stored on a second device" (193.1). The definitions are the same. | 


copying at least a portion of said 
digital file 


See "Copying at least a portion of said digital file" (1 93. 1 ). The definitions are the 
same. 


nansferring at least a portion of 
said digital file to a second device 


See "Transferring at least a portion of said digital file to a second device" (193.1). The 
definitions are the same. 


storing said digital file 


See "Storing said digital file" (193.1). The definitions are the same. | 


l 193:15 


The claim contains no requirement of a VDE. j 


receiving a digital file 


See Receiving a riScntai flip" no^ 11^ 'I 'hp Hf»fi«itir»ne or«> 1 
^ * a ujgiuij .me \iyjj.i i j. l jjc uciLTuiions are me same. I 


an authentication step comprising: 


Normal English, incorporating the separately defined term: a step involving j 
Authentication. 


accessing at least one identifier 
associated with a first device or 
with a user of said first device 


Normal English, incorporating the separately defined terms: Accessing an Identifier 
Associated With a device or a user of the device. \ 


determining whether said 
identifier is associated with a 
device and/or user authorized to 
store said digital file 


Normal English, incorporating the separately defined terms: deciding whether the j 
Identifier is Associated With a device or user with authority to store the Digital File. 


storing said digital file in a first 
secure memory of said first 
device, but only if said device 
and/or user is so authorized, but 
not proceeding with said storing if 
said device and/or user is not 
authorized 


i^uiiiidi ciigjisn, incorporating ine separately denned terms: this step proceeds or does 
not proceed based on the preceding determining step. If this step proceeds, the Digital 
File is stored in a Secure Memory of the first device. ~ j 


storing information associated ] 
with said digital file in a secure 
database stored on said first 
device, said information including 


formal English, incorporating the separately defined terms: storing a Control 
Associated With the Digital File in a Secure Database stored at the first device. 
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Claim Term / Phrase 


InterTrust Construction 


at least one control 




determining whether said digital 
file may be copied and stored on a 
second device based on said at 
least one control 


See "Determining whether said digital file may be copied and stored on a second 
device based on at least said copy control" (193.1). The definitions are the same. 


if said at least one control allows 
at least a portion of said digital 
file to be copied and stored on a 
second device, 


See "If said first control allows at least a portion of said digital file to be copied and 
stored on a second device" (193.1 1). The defmitions are the same. 


copying at least a portion of said 
digital file 


See "Copying at least a portion of said digital file" (193.1). The definitions are the 
same. 


transferring at least a portion of 
said digital file to a second device 


See "Trarisferring at least a portion of said digital file to a second device" (193.1) The 
defmitions are the same. 


storing said digital file 


See "Storing said digital file" (193.1) The definitions are the same. 


'193:19 


The claim contains no requirement of a VDE. 


receiving a digital file at a first 
device 


See "Receiving a digital file" (193.1 1). The definitions are the same. 


establishing communication 
between said first device and a 
clearinghouse located at a location 
remote from said first device 


Normal English, incorporating the separately defined term: sending information from 
the first device to the Gearinghouse and/or the first device receiving information from 
the Clearinghouse. 

Tins phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 

Claim elements specifying the act of receiving a file, or the act of establishing 
communications, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 
obtaining a file or communicating through telecommunications links, satellite 
transmissions, physical exchange of media, network transmissions, etc. 


using said authorization 
information to gain access to or 
make at least one use of said first 
digital file 


Normal English, incorporating the separately defined terms: the Authorization 
Information is used in a process of Accessing or Using the Digital File. 


receiving a first control from said 
clearinghouse at said first device 


Normal English, incorporating the separately defined terms: the first device acquires 
or gets a Control from the Clearinghouse. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 

Claim elements specifying the act of receiving a file, or the act of establishing 
communications, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 
obtaining a file or communicating through telecommunications links, satellite 
transmissions, physical exchange of media, network transmissions, etc. 


storing said first digital file in a 
memory of said first device 


Normal English, incorporating the separately defined terms: the Digital File is stored 
at the first device. 
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Claim Term / Phrase 


InterTrust Construction 


using said first control to 
determine whether said first 
digital file may be copied and 
stored on a second device 


See Deterrmmng whether said digital file may be copied and stored on a second 

device based on at least said codv control" H93 1 Th* Hp^mh^nr t\*** 

j ^ vw r; wuuui v. 1 - 7J > 1 j- i oe aeiiruuons are tne same. 


if said first control allows at least 
a portion of said first digital file to 
be copied and stored on a second 
device 


See If said first control allows at least a portion of said digital file to be copied and 
stored on a second device" (193.13). The definitions are the same. 


copying at least a portion of said 
first digital file 


Sec Copying at least a portion of said digital file" (193 J). The definitions are the 
same. 


transferring at least a portion of 
said first digital file to a second 
device including a memory and an 
audio and/or video output 


See Transfer! mg at least a portion of said digital file to a second device" (1 93.1). The 
definitions are the same, except that the second device has an audio or video output or 
both (e.g., a speaker, a screen, etc.). 


storing said first digital file 
portion 


Normal English, incorporating the separately defined terms: the Digital File Portion is 
stored. j 


l 683:2 


The claim contains no requirement of a VDE. 


the first secure container having 
been received from a second 
apparatus 


Normal English, incorporating the separately defined term: the Secure Container was 
acquired from a second apparatus. The second apparatus is different from the first 
apparatus. 


an aspect of access to or use of 


Normal English, incorporating the separately defined terms: Aspect and Access to or 
Use of Those terms fully define the phrase, so that no other definition is possible. ! 


the first secure container rule 
having been received from a third 
apparatus different from said 
second apparatus 


Normal English, mcorporaring the separately defined terms: this term requires that the | 
first Secure Container Rule was acquired from a third apparatus. The third apparatus 
is different from the second apparatus or the first apparatus. 


hardware or software used for 
receiving and opening secure 
containers 


Normal English, incorporating the separately defined terms: computer hardware or 1 
programming that acquires Secure Containers and Opens the Secure Containers (see 
Opening Secure Containers). 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is I 
required by the Local Rules, InterTrust hereby identifies structures corresponding to 
this term: 

Structures corresponding to this element include Processors) 4 1 26 and/or software 

runninc on Processors 4126 f including PrnfprtpH Prrw-^cc-mo P«^VAn»«»«» £«n\ „ i 

c v " * iwwwouis ~y i ^uit.juu.ujg r luicLicu r roccssmg .environment ojU) and " 

Communications Device 666. 


said secure containers each 
including the capacity to contain a 
governed item, a secure container 
rule being associated with each of 
said secure containers 


Each Secure Container referred to in the phrase "hardware or software used for 
receiving and opening secure containers" must have the capacity to Contain a j 
Governed Item, and must have Associated With it a Secure Container Rule. 1 


protected processing environment 
at least in part protecting 
information contained in said 
protected processing environment 1 
from tampering by a user of said 
fust apparatus 


Normal English, incorporating the separately defined terms: a Protected Processing ! 
Environment contains Information. The Protected Processing Environment protects j 
the contained Information from Tampering by a user. The protection may be partial 
-ather than complete. See Authorization Information for the definition of Information. 
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Claim Term / Phrase 


InterTrust Construction 


hardware or software used for 
applying said first secure 
container rule and a second secure 
container rule in combination to at 
least in part govern at least one 

acnprt of arrps* to or ii«;p of* a 

governed item contained in a 
secure container 


Normal English, incorporating the separately defined terms: computer hardware or 
programming that uses the first Secure Container Rule and a second Secure Container 
Rule. These rules are Applied in Combination to Govern a Governed Item contained 
in a Secure Container. 

TTri^ r»V»racp Kac hppn rlp^ionatpH Hv A^icrncnft firvr i«t*M-nr*»tatirvn tm^»r c 1 i 0/ £L\ 
a Uio yiiu oot iiao uttii ucoj^iKa icu uy ivn\*i uuvjii l\Jl UUICIUI clallUD UliUCT 0 1 I <6t Ol. 

InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies structures corresponding to 
this term: 

Structures corresponding to this element include Processors) 4 1 26 and/or software 
running on Processors 4126 (including Protected Processing Environment 650). 


hardware or software used for 
transmission of secure containers 
to other apparatuses or for the 
receipt of secure containers from 
other apparatuses. 


Normal English, incorporating the separately defined terms: computer hardware or 
programming that sends Secure Containers to other apparatuses (e.g., other computers) 
or acquires Secure Containers from other apparatuses. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
lnierirusi oojects io sucn Designation, wiinout waiver oi sucn objection, as is 
required by the Local Rules, InterTrust hereby identifies structures corresponding to 
this term: 

Structures corresponding to this element include Processors) 4126 and/or software 
running on Processors 4126 (including Protected Processing Environment 650) and 
Communications Device 666. 


'721:1 


The claim contains no requirement of a VDE. 


digitally signing a first load 
module with a first digital 
signature designating the first load 
module for use by a first device 
class 


Normal English, incorporating the separately defined terms: generating a Digital 
Signature for the first Load Module, the Digital Signature Designating that the first 
Load Module is for use by a first Device Class. 


digitally signing a second load 
module with a second digital 
signature different from the first 
digital signature, the second 
digital signature designating the 

QPrrvnH load moHulp for iicp hv a 

second device class having at least 
one of tamper resistance and 
security level different from the at 
least one of tamper resistance and 
security level of the first device 
class 


Normal English, incorporating the separately defined terms: generating a Digital 
Signature for the second Load Module, the Digital Signature Designating that the 
second Load Module is for use by a second Device Class. This element further 
requires that the second Device Class have a different Tamper Resistance or Security 
Level than the first Device Class. 

- 


distributing the first load module 
for use by at least one device in 
the first device class 


Normal English, incorporating the separately defined terms: distributing the fust Load 
Module so that it can be used by a device in the first Device Class. 


distributing the second load 
module for use by at least one 
device in the second device class 


Normal English, incorporating the separately defined terms: distributing the. second 
Load Module so that it can be used by a device in the second Device Class. 


4 721:34 


The claim contains no requirement of a VDE. 


arrangement within the fust 
tamper resistant barrier 


Normal English, incorporating the separately defined terms: an Arrangement 
protected by the first Tamper Resistant Barrier, the Arrangement operating as 
described in the claim. 
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Claim Term / Phrase 


InterTrust Construction 


prevents the first secure execution 
space from executing the same 
executable accessed by a second 
secure execution space having a 
second tamper resistant barrier 
with a second security level 
different from the first security 
level 


Normal English, incorporating the separately defined terms: stops the first Secure 
Execution Space from executing (e.g. running a program) an Executable accessed by a 
second Secure Execution space. The first and second Secure Execution Spaces have 
Tamper Resistant Barriers that have different Security Levels. 


'861:58 


The claim contains no requirement of a VDE. 


creating a first secure container 


This term is contained in the preamble of the claim and should not be defined, other 
than as requiring the individual claim elements. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: 

Normal English, incorporating the separately defined terms: producing a Secure 
Container. 


including or addressing . . . 
organization information . . . 
desired organization of a content 
section. . . and metadata 
information at least in part 
specifying at least one step 
required or desired in creation of 
said first secure container 


This is not a claim term, but is instead a series of fragments. Interpretation of this 
phrase is therefore impossible, since the phrase does not appear in the claim. 

Without waiving its position that these claim fragments should not be interpreted, 
InterTrust would be willing to agree to the following: 

1. The same single Descriptive Data Structure must either Contain within its confines 
or Address both Organization Information and Metadata information. 


at least in part determine specific 
information required to be 
included in said first secure 
container contents 


Normal English, incorporating the separately defined terms: at least partially Identify 
specific Information that must be included in the first Secure Container. See 
Authorization Information for the definition of Information. 


rule designed to control at least 
one aspect of access to or use of at 
least a portion of said first secure 
container contents 


Normal English, incorporating the separately defined terms: a Rule that Governs at 
least some of the contents of the Secure Container. 


'891:1 


The claim contains no requirement of a VDE. 


resource processed in a secure 
operating environment at a first 
appliance 


This term is contained in the preamble of the claim and should not be defined, other 
than as requiring the individual claim elements. 

Without waiving its position that no separate definition is required, if required to 
propose such a definition, InterTrust proposes the following: 

Normal English, incorporating the separately defined terms: a Resource Processed in a 
Secure Operating Environment, the Secure Operating Environment being present at an 
appliance (e^g., a computer). 


securely receiving a fust entity's 
control at said fust appliance 


Normal English, incorporating the separately defined terms: an Entity's Control is 
Securely Received at the first appliance. 

This phrase has been designated by Microsoft for interpretation under § 1 12(6). 
InterTrust objects to such designation. Without waiver of such objection, as is 
required by the Local Rules, InterTrust hereby identifies acts corresponding to this 
term: 

Claim elements specifying the act of receiving a file, or the act of establishing 
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I Claim Term / Phrase 


InterTrust Construction 




commumcations, map onto a large number of structures and acts disclosed in the 
specification, many of which constitute alternate embodiments. These include 
obtaining a file or communicating through telecommunications links, satellite 
transmissions Dhv^ical exchange of mpdia nptwort tr^ncmiccinnc 

Gaim elements specifying the act of "securely receiving" map onto embodiments of 
"receiving" (see above) in which the received element (e.g., a control) is received in a 
manner providing security. The specification describes a number of security-related 
mechanisms for use in communications, including encryption, authentication and 
tamper-resistance. Such mechanisms constitute alternate embodiments. 


1 securely receiving a second 
entity's control at said first 
appliance 


See Securely receiving a first entity's control at said first appliance. The definitions 
are the same, except that the second entity and the first entity are different. 


securely processing a data item at 
said first appliance, using at least 
one resource 


Norma] English, incorporating the separately defined terms: a Resource is used in 
Securely Processing a Data Item, the processing occurring at the first appliance. 


securely applying, at said fust 
appliance through use of said at 
least one resource said first 
entity's control and said second 
entity's control to govern use of 
said data item 


Normal English, incorporating the separately defined terms: the first Entity's Control 
and the second Entity's Control are Securely Applied to Govern Use of the Data Item, 
the act of Securely Applying involving use of the Resource. 


'900:155 


See definition of Virtual Distribution FnvimTvmpnt »Kt\vp 

•—'WW uwiiiiiiivu v* » U iUal i/lOUlVUUVU J^XJ V U villi IwJ II* UUvVC* 


1 first host processing environment 
comprising 


A Host Processing Environment including (but not limited to), the listed elements. 


1 designed to be loaded into said 
main memory and executed by 
said central processing unit 


Normal English, incorporating the separately defined term: software designed to be 
loaded into the Memory of a computer and executed by the computer's processor. 


J said tamper resistant software 
comprising: . . . one or more 
storage locations storing said 
information 


This is not a claim term, but is instead two sentence fragments. Interpretation of this 
phrase is therefore impossible, since the phrase does not appear in the claim. 


I derives information from one or 
more aspects of said host 
processing environment, 


Normal English, incorporating the separately defined terms: Derives (including 
creates) Information based on at least one Aspect of the previously referred to Host 
Processing Environment. See Authorization Information for the definition of 
Information. 


1 one or more storage locations 
storing said information 


Normal English, incorporating the separately defined terms: Information relating to 
one or more Aspects of the Host Processing Environment is stored in one or more 
locations. See Authorization Information for the definition of Information. 


1 information previously stored in 
said one or more storage locations 


See Information Previously Stored. The definitions are the same. 


1 generates an indication based on 
the result of said comparison 


Producing an indication based on the result of the "compares" step. The "indication" 
need not be displayed to a user. 


programming which takes one or 
more actions based on the state of 
said indication 


Normal English: software that takes an action if the indication has one state, but does 
not take that action if the indication does not have that state. 


| at least temporarily halting further 
processing 


Normal English, incorporating the separately defined terms: Halting Processing, the 
Halt being temporary or permanent. See Securely Processing for the definition of 

n 
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InterTrust Construction 




Processing. 


'912:8 


The claim contains no requirement of a VDE. 


identifying at least one aspect of 
an execution space required for 
use and/or execution of the load 
module 


Identifying at least one aspect of an execution space: 

Normal English, incorporating the separately defined terms: Identifying an Aspect 
(e.g. Security Level) of an Execution Space 

Required for use and/or execution of the load module: 

Normal English, incorporating the separately defined terms: the Identified Aspect is 
needed in order for the Load Module to execute or otherwise be used. 


said execution space identifier 
provides the capability for 
distinguishing between execution 
spaces providing a higher level of 
security and execution spaces 
pjuviuixig d jowci icvei 01 secuniy 


Normal English, incorporating the separately defined terms: the Execution Space 
Identifier makes it possible to distinguish higher Security Level Execution Spaces 
from lower Security level Execution Spaces. 


checking said record for validity 
prior to performing said executing 
step 


Normal English, incorporating the separately defined terms: deterrnining whether the 
Record has Validity, the determination occurring before the execution step. 


l 912:35 


The claim contains no requirement of a VDE. 


received in a secure container 


Normal English, incorporating the separately defined terms- the Record U rnntnWH 
in a Secure Container when acquired. 


said component assembly 
allowing access to or use of 
specified information 


Normal English, incorporating the separately defined terms: the Component Assembly 
allows Access to specified Information. See Authorization Information for the 
definition of Information- 


said first component assembly 
specified by said first record 


This term is a label referring back to the first component assembly identified earlier in 
the claim. It has no other meaning. 
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EXHIBIT C 



PLR 4-3(b) - Identification of Supportine Evidence 



The following represents InterTrust* s list of all evidence relevant to construction of the disputed terms and phrases. 
InterTrust expects to identify those passages of greatest significance in connection with lnteTTrust's claim construction 
briefing. In addition to the evidence listed in the table below, InterTrust intends to rely on the testimony of Dr. Reiter, as 
described in more detail in Exh. F. 



1 . InterTrust reserves the right to supplement this list as needed to respond to changed constructions proffered by 
Microsoft immediately before or after the submission of the Joint Claim Construction Statement, or to respond to evidence 
or arguments proffered by Microsoft. 

2. In the following list, certain terms and phrases include other, separately defined terms. In such cases, the evidence 
supporting the separately defined term is also relevant to construction of the larger term. 

3. The InterTrust patents include overlapping specifications, in which the same text may be found in two or more 
specifications. In such cases, InterTrust has cited only one of the specifications. InterTrust reserves the right to substitute 
citations for the same text in other specifications. 

4. Citations of specification text also include a citation of any Figures discussed in that text. 

5. Each claim term is followed by a list of all patent claims in which the term appears (e.g., "193.15" means claim 
15 from the 4 193 patent). 



Key to abbreviations: 



USP = United States Patent 
4 193 patent = USP 6,253,193 
'683 patent = USP 6,185,683 
4 721 patent = USP 6,157,721 
'891 patent = USP 5,982,891 
'861 patent = USP 5,920,861 
'912 patent = USP 5,917,912 
'900 patent = USP 5,892,900 



Notes: 



Claim Term / Phrase 



InterTrust Evidence 



access, accessed, access to, 
accessing 



Patent Specifications 
'193 patent at 51:32-33, 61 



193.15, 193.19,912.8,912.35, 
861.58, 683.2, 721.34 



'193 patent at 59:53-55 
'193 patent at 62:54-57 
' 193 patent at 64:6-7 



'193 patent at 65il4-19 
'193 patent at 71:49-51 
'193 patent at 72:1-3 



'193 patent at 120:59-66 
'193 patent at 128:42-45 
'193 patent at 136:58-60 
'193 patent at 137:63-66 
'193 patent at 139:41-55 
'193 patent at 159:24-26 



'193 patent at 159:64-160:8 



'193 patent at 163:36-63 
'193 patent at 170: 17-19 



1 



Claim Term / Phrase 



InterTrust Evidence 



4 193 patent at 173:9-16 
'193 patent at 178:57-63 
4 193 patent at 183:24-26 
M93 patent at 183:55-57 
4 193 patent at 188:65-66 
4 193 patent at 192:2-57 
4 193 patent at 217:27-42 
4 193 patent at 274:58-61 
4 193 patent at 298:67-299:5 

4 683 patent at 10:66-11:3 
4 683 patent at 12:52-53 
4 683 patent at 13:15 
4 683 patent at 15:67-16:4 
4 683 patent at 19:6-14 
4 683 patent at 42:34-37 
4 683 patent at 56:21-25 
4 683 patent at 57:63-65 

4 861 patent at 12:35-39 
4 861 patent at 13:6-17 
4 861 patent at 15:35-48 
4 861 patent at 17:22-25 

'721 patent at 2:47-53 
4 721 patent at 2:62-63 
'721 patent at 4:5-15 

Extrinsic Sources 

Personal Computer Dicrionary (1995), p. 11 . 

Wyatt, Computer Professional's Dicrionary (Osborne McGraw-Hill, 1990), p. 7. 

Webster's New World Dictionary of Computer Terms, 6 th ed. (1997), p. 12. 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 

The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE, 1993), 

p. 6. 

Cooper, Computer & Communications Security: Strategies for the 1990s, p. 365. 

National Information System Security (INFOSEC) Glossary, NSTISSI No. 4009 
(2000), p. 1. 

Glossary of Telecommunications Terms (National Communications Systems, 1996), p. 
A-3. 

Webster's New World Dictionary of Computer Terms, 4 th ed. (1992), p. 2. 

Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), p. 494. 



addressing 



Patent Specifications 

'861 patent at 5:57-6:7 
'863 patent at 10:53-59 
4 861 patent at 14:14-29 
;86Tpatent at 15:21-31 



861.58 
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I Claim Term / Phrase 


InterTrust Evidence 




4 193 patent at 86:51-56 j 
'193 patent at 92:18-23 
'193 patent at 109:2-5 
'193 patent at 214:35-18 

4 193 patent at 289:14-22 j 
Extrinsic Sources 

Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 17. 
Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


The New IEEE Standard Dictionary of Electrical and Electronic Terms ( 1 993), pp. 1 6- 

Glossary of Telecommunications Terms (National Communications Systems, 1996), p. 
A-7. 


1 allowing, allows 

912.35,193.1,193.11,193.15, 
193.19 


Patent Specifications 

'193 patent at 11:19-23 ! 
4 193 patent at 15:14-37 
4 1 93 patent at 1 6:49-5 1 

4 193 patent at 34:13-19 j 
•193 patent at 75:1-5 

Extrinsic Sources I 
The American Heritage Dictionary 3d ed fHouehton Mifflin 1 Q07^ r» 

Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


Webster's College Dictionary of Random House (1991), p. 38. 
Funk & Wagnalls Standard College Dictionary (1973-74), p. 39. 


arrangement 


Patent Specifications 




'721 patent at 3:10-15 


721 M 


4 721 patent at 4:56-60 




'721 patent at 16:52-64 j 




4 721 patent at 19:24-32 j 




4 193 patent at 1:27-36 • - 




4 193 patent at 8:21-27 | 




4 193 patent at 10:49-53 




4 193 patent at 11:38-45 j 




4 193 patent at 11:49-53 \ 




4 193 patent at 12:53-61 




4 193 patent at 13:M j 




4 193 patent at 14:60-66 j 




4 193 patent at 19:5-9 




4 193 patent at 20:51-67 f 




4 193 patent at 41:31-33 j 




4 193 patent at 45:52-59 




4 193 patent at 48:33-36 




4 193 patent at 48:66-49:3 




4 193 patent at 225:39-46 




4 193 patent at 226:43-53 




4 193 patent at 227:25-28 j 




193 patent at 230:45-50 j 




193 patent at 236:25-29 j 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 301:58-59 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifilin, 1992), p. 102. 




File Histories 




'721 File History, original claims 15-18 and 36-39 




r aiem opecuicauons 






900.155,912.8, 861.58, 683.2 


•"OHO T%ot*»nt of 74* 1 7 17 

7w paieni ai /**. jz-i / 


yuu patent at /4:zy-J3 




•QAA — .otorif ot 77* 1 ^ 1 O 

yuu patent at / /. iD-iy 




*QflA t> -1 font 71/C.1 7 

yuu patent at zjo.3-/ 




'193 patent at 83:30-32 




i y3 patent at yj \jl /-ju 




4 193 patent at 103:14-20 




4 193 patent at 121:35-37 




1 yi patent at 125 :3 9-4 1 




iyj paieni ai zou.h/*** / 




'193 patent at 340:40-43 




'861 patent at 6:24-29 




'861 patent at 17:3-6 




File Histories 




l 900 File History, original claims 5-6. 




App. No. 09/342,899, 6/12/00 Office Action, p. 5 (citing USP 5,748,960 at 21:7-15). 


addULldlCU VV1 U.J 


— — — ; ; — 

Patent Specifications 




' 1 01 riot*»Tif at *\- 1 O 71 

iyj paieni ai j.jy-zi 


912.8, 193.1, 193.11, 193.15, 


* 1 01 rtotont ot 17-/1H A 1 

ijj paieni ai iz.hu-^j 


683.2 


* 1 01 mtpnt of 1 1--S/1 AI 

iyj paieni ai h.d^-Oj 




i y^ paiem ai i _>._> i Oj 




*101 n?at*>r»t of 17-^7 <A 

paieni ai i /.jzoo 




4 1 01 nntpnt nf 1 8-1fi_47 

i"j paieni ai io.jo-^+z 




* 1 01 natpnt of OfVR 7£ 

i yj patent at zu.o-zo 




4 1 01 r»at#»nf of 07'7fi 7^ 

j yj paieni ai //.zu-zj 




* 1 01 naf#»nf of 17*40 $ 1 ■ 




*193 natpnt at ^V7fi ^0 

1 patent al jj.iU-jv 




* 1 93 natpnt at ^-1 1 




l 193 natent at 




* 1 93 Datent at S7- 1 7-40 




'193 natent at ^0-6-18 




*193 natent at fi^-Afi fi/vS 




4 1 9"? natpnt at 101-^4-1 D4-7R 




4 193 patent at 149:46-54 




'193 patent at 153:32-154:49 . 




4 193 patent at 188:8-11 




4 193 patent at 194:47-51 




4 193 patent at 195:10-24 




4 193 patent at 210:56-21 1:9 




M93 patent at 241:17-26 


. . . 


* 193 patent at 245:9-13 
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v_iaim l erm / r nrase 


inter 1 rust Evidence 




193 patent at 268:66-269:1 1 




4 193 patent at 269:23-34 




4 193 patent at 292:63-67 




*193 patent at 297:61-298:2 




4 193 patent at 299:46-49 




'193 patent at 300:44-51 




4 193 patent at 308:48-56 

! 




4 683 patent at 8:34-37 




4 683 patent at 9:56-58 




4 683 patent at 10:1-4 




4 683 patent at 24:5-13 




4 683 patent at 26:12-16 




4 683 patent at 27:24-28 




'683 patent at 30:44-56 




4 683 patent at 37:14-19 




4 683 patent at 40:10-15 




4 683 patent at 41:58-61 


authentication 


I Patent Specifications 




4 193 patent at 13:33-37 


1 07 1 < 


4 193 patent at 64:29-37 




4 193 patent at 67:58-60 




4 193 patent at 115:17-21 




'193 patent at 123:21-62 




4 193 patent at 160:24-26 




4 193 patent at 203:58-61 




l 193 patent at 204:2-13 




'193 patent at 204:27-34 




4 193 patent at 213:1-15 




4 193 patent at 218:38-220:19 




'393 patent at 230:22-27 




'193 patent at 232:47-53 




4 193 patent at 236:21-25 




4 193 patent at 290:47-62 




4 193 patent at 319:27-29 




'683 patent at 7:42^5 




4 683 patent at 8:15-27 




4 683 patent at 10:1-4 




4 683 patent at 18:65-19:26 




4 683 patent at 2 1:36-52 




'683 patent at 30:65-31:63 




doj patent at 34: MO/ 




'683 patent at 41:18-21 




'683 patent at 48:32-36 




'683 patent at 49:3-17 

.. 




File Histories 




4 683 File History, 11/12/99 Office Action, p. 7 (citing USP 5,412,717 at 6:19-48). 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




Tanenbaum, Modem Operating Systems (Prentice Hall, 1992), p. 189. 


authorization information. j 


Patent Specifications 


authorized, not authorized 


4 193 patent at 3:3-9 




'193 patent at 167:8-11 
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I Claim Term / Phrase 


I InterTrust Evidence 


193.15, 193.19 


*193 patent at 167:55-59 
4 193 patent at 21 1:39-212:7 
*193 patent at 214:42-48 
4 193 patent at 215:59-216:5 
'193 patent at 220:47-52 
'193 patent at 223:57-60 
•193 patent at 254:40-44 

File Histories 

USP 5,910,987 File History, 9/23/98 Office Action, p. 4. 
Extrinsic Sources 

The American Heritage Dictionary, 3d ed (Houghton Mifflin, 1992), p. 120. 
Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


Cooper, Computer & Communications Security: Strategies for the 1990s, p. 367. 
Laplante, Dictionary of Computer Science, Engineering and Technology (2001), p. 29. 
Microsoft Computer Dictionary, 2 nd ed. (Microsoft Press, 1994), p. 32. 
Microsoft Computer Dictionary, 3 rf ed. (Microsoft Press, 1997), p. 36. 


I budget control; budget 
193.1 


1 Patent Specifications 

•193 patent at 22:47-52 

•193 patent at 50:18 

•193 patent at 51:44-45 

•193 patent at 57:51-54 

•193 patent at 58:26-34 

•193 patent at 58:38-59:37 

•193 patent at 130:58-331:52 
'•J 93 patent at 132:7-26 

•193 patent at 132:55-65 

'193 patent at 133:12-13 

•193 patent at 133:45-59 
'193 patent at 342:41-61 
•193 patent at 143:10-28 
M93 patent at 143:38-144:31 
'193 patent at 150:63-66 
•193 patent at 152:44-47 
•193 patent at 172:14-48 
'193 patent at 172:61-174:33 
'193 patent at 173:21-177:53 
'193 patent at 182:7-14 
'193 patent at 182:22-30 
'193 patent at 184:67-185:1 
'193 patent at 220:20-40 

File Histories 

Ann "M/\ AQmO /LCQ A /I /A A f~\Cr i . • * 

App. jno. uy/JZc.ooe, 9/1/00 Office Action, p. 4. 

USP 5,910,987 File History, 9/23/98 Office Action, p. 5. 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 249 


can be j ] 


Extrinsic Sources 
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Claim Term / Phrase 


InterTrust Evidence 


193.1 


The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), pp. 159, 277. 


j capacity 
683.2 


Patent Specifications 
l 193 patent at 127:35-62 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 283. 
Citations from Sources Designated bv Microsoft under PLR 4-2(b) 


w cosier s LA)uege JLUcnonary or jvanuom nouse { i yy j p. zUl . 

Random House Dictionary of the English Language: College Edition (1968), p. 200. 

Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), pp. 208, 3519 


I clearinghouse 
193.19 


Patent Specifications 
'193 patent at 3:32-33 
4 193 patent at 13:17-23 
'193 patent at 25:22-24 
'193 patent at 36:15-48 
4 193 patent at 41:8-9 
4 193 patent at 47:37-42 
'193 patent at 50:8-9 
4 193 patent at 55:57-66 
4 193 patent at 56:16-24 
4 193 patent at 132:35-37 
4 193 patent at 161:66-162:65 
4 193 patent at 253:65-254:1 
4 193 patent at 255:33-51 
4 193 patent at 267:40-42 
4 193 patent at 268:29-31 
4 193 patent at 269:59-65 
4 193 patent at 270:42-58 
4 193 patent at 271:44-49 
'193 patent at 280: 18-26 
4 193 patent at 284:50-59 

File Histories 

uor o,Hz/,i4U rue riistory, unice Acnon, p. 3. 
USP 6,1 12,181 File History, 12/31/98 Office Action, p. 30. 

Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), p. 600. 


I compares, comparison 
900.155 


Patent Specifications 
4 900 patent at 195:9-12 
4 900 patent at 280:63-65 
4 900 patent at 322:15-20 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 384. 
Citations from Sources Designated bv Microsoft under PLR 4-2tt>) 
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Claim Term / Phrase 



InterTrust Evidence 



The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE, 1993), 
p. 221. 

Illustrated Dictionary of Computing, 2 nd ed. (Prentice Hall, 1992), p. 1 10. 

The American Heritage Dictionary of the English Language (1969), p. 271. 

Webster's College Dictionary of Random House (1991), p. 276. 

Funk & Wagnalls Standard College Dictionary (1973-74), p. 275. 

Random House Dictionary of the English Language: College Edition (1968), p. 273. 

Webster's Ninth New Collegiate Dictionary (Merriam- Webster, 1987), pp. 276-277. 

IBM Dictionary of Computing (McGraw Hill, 1994), pp. 124-125. 



component assembly 
912.8,912.35 



Patent Specifications ~~~ ~ ~~ ~~ 

4 193 patent at 25:54-26:9 

4 193 patent at 50:35-36 

'193 patent at 83:12-88:21 

'193 patent at 112:46-113:62 

*193 patent at 115:43-116:51 

4 193 patent at 133:43-45 

•193 patent at 138:31-37 

'193 patent at 159:61-160:8 

4 193 patent at 169:62-170:4 

4 193 patent at 171:39-42 

4 193 patent at 247:58-64 

4 193 patent at 250:2 1-34 

4 193 patent at 260:36-47 

File Histories 

4 912 File History, 9/22/98 Office Action, pp. 2-3 (citing USP 5,748,960); see also USP 
5,748,960 at 1 :33-67 and 1 6:32-4 1 . 

'912 File History, 6/24/98 Amendment, pp. 73-75. 

4 912 File History, 12/24/97 Office Action, pp. 2-3 (citing USP 5,629,980; USP 
5,499,298; and USP 5,457,746); see also USP 5,629,980 at 9:6-1 1 :29; USP 5,499,298 
at 6:46-8:23; and USP 5,457,746 at 10:8-67. 

App. No. 09/342,899 File History, 12/1 2/00 Amendment, p. 7. 
App. No. 09/342,899 File History, 12/13/01 Response, p. 3. 



contain, contained, contairiing 
683.2,932.8,912.35 



Patent Specifications 
'193 patent at 19:15-21 
'193 patent at 58:48-58 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 406. 

Citations from Sources Designated by Microsoft under PLR 4-2fb) 
Webster's College Dictionary of Random House (1991), p. 293. 
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i_iaim i erm / r nrase 


lnienruM jc/Yhjcdcc 




Random House Dictionary of the English Language: College Edition (1968), p. 289. 




Que's Computer Programmer's Dictionary (1993), p. 93. 


control (n.) 


Patent Specifications 




4 193 patent at 5:19-24 


103 1 103 11 103 15 103 10 

lyj.i, jyo.ii, jjo.ij, lyj.iy, 


l 193 patent at 6:33^5 


QOI 1 


•193 patent at 7:13-19 




*193 patent at 10:66-11:18 




4 193 patent at 12:12-14 




4 193 patent at 13:54-60 




4 193 patent at 15:3-7 




4 193 patent at 15:18-21 




4 193 patent at 15:33-38 




4 193 patent at 15:46-50 




4 193 patent at 17:15-21 




4 193 patent at 17:46-67 




4 193 patent at 18:29-42 




4 193 patent at 19:13-32 




4 193 patent at 22:47-58 




4 193 patent at 25:48-52 




4 193 patent at 25:52-26:12 




4 193 patent at 28:19-44 




4 193 patent at 29:21-28 




4 1 93 patent at 30:62-65 




4 193 patent at 32:30-34 




4 193 patent at 33:11-19 




4 193 patent at 33:63-34:3 




4 193 patent at 34:30-37 




4 193 patent at 42:21-38 




4 193 patent at 42:39-43:1 




4 193 patent at 43:25-44:2 




4 193 patent at 44:34-52 




4 193 patent at 45:11-15 




4 193 patent at 45:33-36 




4 193 patent at 48:29-35 




4 3 93 patent at 49:1 1-12 




4 193 patent at 49:50-55 




4 193 patent at 53:53-59 




4 193 patent at 56:26-32 




4 193 patent at 57:27-36 




'193 patent at 57:51-55 




4 193 patent at 58:27-34 




'393 patent at 59:1-25 




4 193 patent at 71:20-25 




4 193 patent at 77:32-34 




'193 patent at 77:45-63 




4 193 patent at 77:64-78:3 




4 193 patent at 78:6-9 




'193 patent at 110:54-55 




4 193 patent at 121:15-32 




4 193 patent at 127:6-26 




4 193 patent at 128:25-33 




4 193 patent at 129:52-60 




4 193 patent at 129:64-67 




'193 patent at 130:26-29 




4 193 patent at 130:41 
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Claim Term / Phrase 


InterTrust Evidence 




4 193 patent at 131:33-50 ^ 




'193 patent at 131:59-132:18 




'193 patent at 135:49-58 




'193 patent at 137:4-7 




'193 patent at 148:59-149:7 




*193 patent at 149:13-153:31 




' 193 patent at 169:5-13 




•193 patent at 174:15-177:53 




'193 patent at 182:43-44 




'193 patent at 217:40-42 




'193 patent at 242:7-53 




'193 patent at 243:28-37 




'193 patent at 245:9-14 




'193 patent at 247:30-51 




'193 patent at 247:61-248:8 




'193 patent at 258:53-55 




'193 patent at 264:16-19 




'193 patent at 264:40-49 




'193 patent at 268:62-64 




'193 patent at 271:58-61 




'193 patent at 276:10-17 




'193 patent at 280:49-58 




'193 patent at 284:22-26 




'193 patent at 293:24-29 




' 1 93 patent at 293 :64-294: 1 




'193 patent at 297:61-298:2 




'193 patent at 298:54-62 




'193 patent at 301:66-302:2 




'193 patent at 314:58-64 




* 1 nafpnt at 1 1 S • 7-60 




File Histories 




'193 File History, 12/20/96 Office Action, pp. 2-3. 




'193 File History, 6/20/97 Response, pp. 23-25. 




'193 File History, 6/7/00 Office Action, pp. 2-4 (citing USP 4,595,950); see also USP 




4,595,950 at 4:4-18; 4:28-33; 4:38-54; 4:64-5:20; 5:35-58; 6:38-65; 7:5-41; 8:48-57; 




9:1-39; 9:54-66; and 12:29-13:33. 




'900 File History, 8/27/98 Office Action, pp. 3-4 (citing USP 5,048,085 at 2:41-46). 




'891 File History, 12/20/96 Office Action, pp. 2-3 




USP 5,915,019 File History, 7/28/97 Office Action, pp. 2-3 (citing USPs 5,638,443; 




5,563,946; USP 5,509,070; and 5,504,818); see also USP 5,638,443 at 10:61-11:67; 




USP 5,563,946 at 8:27-58 and 9:25-39; USP 5,509,070 at 7:10-8:9; and USP 




5,504,818 at 6:33-67. 




USP 5,915,019 File History, 4/15/98 Office Action, pp. 3-4 (citing USP 5,31 1,591); 




see also 5,3 1 1 ,59 1 at 2 : 3 4-46; 11:4-1 0; and 1 2:7-20. 




USP 6,389,402 File History, 3/15/00 Office Action, p. 2. 




09/328,668 File History, 9/1/00 Office Action, p. 4. 




USP 5,910,987 File History, 9/23/98 Office Action, p.4 (citing USP 5,412,717 at 9:33- 




57); see also USP 5,412,717 at 2:24-26; 5:3-7; and Figs. 2 and 3(c). 
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Claim Term / Phrase 


InlerTrust Evidence 




USP 6,363,488 File History, 12/1 9/00 Office Action, p. 2-4 (citing USP 4,658,093); 
see also USP 4,658,093 at 4:48-63, and Abstract). 

USP 6,237,786 File History, 7/17/00 Office Action, pp. 2-3 (citing USP 4,827,508); 
see also USP 4,827,508 at 8:61-9:2; 9:32-36; 19:8-26; and 21:39-55). j 

USP 6,112,181 File History, 12/31/98 Office Action, p. 14 (citing USP 5,740,549 at 
16:45-54). ' j 

USP 5,949,876 File History, 7/1 8/97 Office Action, pp. 2-3 (citing USP 5,504,837 at 
7:48-8:44; USP 5,508,913 at 3:56-4:1 1; and USP 5,260,999 at 42:63-43:20 and 45:18- 
30). j 


controlling, control (v.) 
861.58, 193.1 


Patent Specifications 
1 193 patent at 15:46-50 
4 193 patent at 33:26-30 

'193 patent at 62:58-60 j 
4 193 patent at 63:39-44 

4 193 patent at 64:55-58 J 

'193 patent at 65:35-38 | 

4 193 patent at 68:46-49 

4 193 patent at 68:51-53 

4 193 patent at 76:37-41 

4 193 patent at 77:48-57 

4 193 patent at 128:41-46 

1 193 patent at 139:60-140:1 | 
4 193 patent at 159:23-26 
4 193 patent at 172:51-55 
4 193 patent at 174:15-29 
1 193 patent at 241: 17-26 

4 193 patent at 268:29-31 ! 
4 193 patent at 273:42-46 j 
4 193 patent at 288:1 1-12 
4 193 patent at 296:13-14 

4 683 patent at 24:33-39 | 
4 683 patent at 27:22-24 

File Histories 1 
'683 File History, 1 1/12/99 Office Action, p. 13. 

USP 6,389,402 File History, 12/6/00 Office Action, p. 3. j 
USP 6,363,488 File History, 12/19/00 Office Action, p. 2. 
USP 6,427, 170 File History, 3/3/01 Office Action, p. 4. 
Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), pp. 410, 784. 
Citations from Sources Designated bv Microsoft under PLR 4-2(b) 


Laplante, Dictionary of Computer Science, Engineering and Technology (2001), p. 1 
104. 

Webster's College Dictionary of Random House (1991), p. 297. j 
Funk & Wagnalls Standard College Dictionary (1973-74), p. 295. j 
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V,I«Jlul 1 ci III / iDiddc 


inicr j rust £/Vioence 




Random House Dictionary of the English Language: College Edition (1968), p. 293. 




Webster's Ninth New Collegiate Dictionary (Merriam- Webster, 1987), p. 285. 


copied file 


Patent Specifications 




193 patent at 325:32-40 


193.11 






See Digital File; Copy; Copy Control 


copy, copied, copying 


Patent Specifications 




4 1 93 patent at 20:36-43 


193.1, 193.11, 193.15, 193.19 


4 193 patent at 23:10-15 


'193 patent at 25:18-24 




4 193 patent at 26:59-67 




4 193 patent at 28:19-23 




'193 patent at 37:27-36 




'193 patent at 37:59-64 




4 193 patent at 48:29-35 




4 193 patent at 53:60-62 




4 193 patent at 57:67-58:3 




4 193 patent at 80:40-48 




'193 patent at 109:15-22 




4 193 patent at 131:10-17 




4 193 patent at 131:65-132:1 




4 193 patent at 143:14-18 




4 193 patent at 159:24-26 




4 193 patent at 167:63-67 




4 193 patent at 194:14-19 




4 193 patent at 226:11-16 




'193 patent at 264:29-49 




'193 patent at 279:3-9 




4 193 patent at 288:46-52 




4 193 patent at 319:12-15 




'193 patent at 323:50-324:7 




Extrinsic Sources 




Personal Computer Dictionary (1995), p. 47. 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 416. 




Webster's New World Dictionary of Computer Terms, 6 th Edition (1 997), p. 1 1 8. 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 120. 




Citations from Sources Desienated bv Microsoft under PLR 4-2(b) 




Dictionary of Scientific and Technical Terms, 5* ed. (McGraw-Hill, 1994), p. 461. 




See Copied File 


copy control 


Patent Specifications 




4 193 patent at 38:4-9 


193.1 


4 193 patent at 48:12-35 




4 193 patent at 65:24-38 




•193 patent at 68:51-61 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 72:1-9 




'193 patent at 133:39-50 




'193 patent at 162:10-15 




'193 patent at 167:41-43 




'193 patent at 220:28-40 




'193 patent at 226:1 1-16 




'193 patent at 237:34-47 




'193 patent at 252:51-58 




'193 patent at 264:28-57 




'193 patent at 278:9-25 




'193 patent at 316:16-317:19 




'193 patent at 322:46-323:7 




'193 patent at 325:32-40 


data item 


Patent Specifications 




'193 Datent at 9*27-31 


891.1 


'193 patent at 58:48-57 


'193 Datent at 67 56-57 




'193 patent at 126:8-52 




'193 patent at 312:63-66 




Extrinsic Sources 




TV ydll-y V^Uli jjJUlCJ i lUlCdOJUIlaJ d LJl^llLfklal y ^V/oUUIIlC lVlLVJId W-nill, 1 >7ul, D. Ivl. 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 131. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Microsoft Computer Dictionary, 2 Dd ed. (Microsoft Press, 1994), pp. 107-108. 




irULiUSUn \_^UJJ1|JU tCI Ui\,Vl\JlAHl j y J CU. ^1V1 JL J UdUll I I Cob, IjZfl 1, D. 1 jU. 




McNultv Securitv on the Internet. Statement Before the Subcommittee on Srienre 




Cornrnittee on Science, Space, and Technology, U S House of Representatives (Mar. 




22 1994^ d 9 {"Data Lntetnitv - Verification that the contents of a data item (e 0 




message, file, program) have not been accidentally or intentionally changed in an 




unauthorized manner**). 


derive, derives 


Patent Sneciftrafinns 




'900 patent at 73:38-42 


900.155 


'900 patent at 74:36-42 




'900 patent at 75:30-36 




'900 patent at 75:41-49 




'900 patent at 245:25-39 




'900 patent at 247:4-12 




'900 patent at 247:20-26 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 504. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Webster's College Dictionary of Random House (1991), p. 365. 




Funk & Wagnalls Standard College Dictionary (1973-74), p. 360. 




Random House Dictionary of the English Language: College Edition (1968), p. 358. 
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Claim Term / Phrase 


InterTrust Evidence 




See "Derives information from one or more aspects of said host processing 
environment" (900. 1 55). 


descriptive data structure 
861.58 


Patent Specifications 
'861 patent at 5:26-37 
4 861 patent at 5:57-6:7 
'861 patent at 6:8-10 
'861 patent at 6:19-23 
'861 patent at 6:24-31 
'861 patent at 6:38-47 
'861 patent at 7:42-9:63 
'861 patent at 10:49-61 
'861 patent at 11:15-24 
'861 patent at 11:25-47 
'861 patent at 11:58-12:5 
'861 patent at 13:41-14:12 
'861 patent at 14:13-29 
'861 patent at 15:21-34 
'861 patent at 16:11-31 
'861 patent at 17:13-31 
'861 patent at 17:35-53 
'861 patent at 17:61-18:5 

File Histories 

'861 File History, 6/25/98 Office Action, p. 3 (citing USP 5,537,526); see also USP 
5,537,526 at 7:9-67; 10:12-39 and 16:10-20. 

USP 6,138,1 19 File History, 4/26/00 Office Action, p. 9. . 


designating 
721.1 


Patent Specifications 

'721 patent at 7:66-8:2 
'193 patent at 103:11-20 
'193 patent at 150:30-33 

iyj pdlCIil a l 1JH.OH-1 jj.y 

'193 patent at 246:64-66 
'193 patent at 277:56-278:16 
'193 patent at 280:1-4 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 506. 


device class 
721.1 


File Histories 

'721 File History, 4/13/99 Amendment, p. 14. 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 


The American Heritage Dictionary of the English Language (1969), p. 248. 
Webster's College Dictionary of Random House (1991), pp. 250-251, 370. 
Funk & WagnalJs Standard College Dictionary, (1973-74), p. 251 . 


digital file 


Patent Specifications 
'193 patent at 45:66-46:3 
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Claim Term / Phrase 


InterTrust Evidence 


193.1, 193.11, 193.15, 193.19 


'193 patent at 123:66-67 
•193 patent at 165:25-30 
•193 patent at 167:33-35 
•193 patent at 258:30-43 

Extrinsic Sources 

Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 194. 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 
Encyclopedia of Computer Science and Engineering, 2 nd ed (Van Nostrand Reinhold, 
1983),p.494. 

Hurt et al., Computer Security Handbook, 2d ed (Macmillan, 1988), p. 21 8. 


digital signature, digitally signing 
721.1 


Patent Specifications 
•721 patent at 4:32-35 
721 patent at 4:64-5:5 
*721 patent at 6:5-15 
•721 patent at 6:42-52 
721 patent at 7:1 1-18 

'791 rn»t*»r»t ^7 

•721 patent at 10:56-59 
•721 patent at 10:60-64 

*721 natpnt at 17-67-1 V* 
•721 patent at 14:61-15:16 
•721 patent at 15:31-34 

Extrinsic Sources 




Dictionary of Information Technology, 3d ed. (Van Nostrand Reinhold, 1989) 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




Russell et al Comnuter Securitv Rasirs ffVRpillv Mr Accnriat^c 1Q01\ -n am\ 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 145. 




Garfinkel et aL, Practical Unix Security (O'Reilly & Associates, 1991), p. 122. 




Neumann, Computer Related Risks (ACM Press, 1995), p. 345. 


entity's control 


Patent Specifications 


891.1 


•193 patent at 127:41-45 
•193 patent at 128:61-65 
•193 patent at 203:42-45 
•193 patent at 267:34-42 
•193 patent at 277:42-46 
'193 patent at 281:36-39 


environment 


Patent Specifications 


912.35,900.155, 891.1,683.2, 
721.34 


•193 patent at 13:27-29 
4 193 patent at 17:1-6 
•193 patent at 18:34-36 
•193 patent at 25:39-43 
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Claim Term / Phrase 


InterTrust Evidence 




4 1Q7 rtatp-nt at 7fi ^/\-?0 




M 07 rtatAnt at 40»7 A 

iso paient ai *fy.j-o 




* 1 07 ™»tf*nt at 40* 1 <C 1 7 

iyo paicni ax ny. 




*1 Q7 natpnt at S>A*L^7-f 




4 193 patent at 69:33-35 




4 193 patent at 72:34-39 




4 193 patent at 73:40-42 




4 193 patent at 83:43-48 




4 193 patent at 100:10-16 




4 193 patent at 106:56-62 




I 7j paiCDl dl 141 .n j-*0 




'1Q7 natpnt at ?7R«4^ ^1 




4 900 patent at 245:23-39 




4 683 patent at 43:28-29 




4 721 patent at 1:21-28 




/zi patent at o:_>-o 




/zj patent at o.oo-/./ 




H/Xinnsjc sources 




yvcumcj ^ j>cw woiju j-/icuonary 01 v_,ornpuier 1 erms, 0 .edition (jyy/j, p. 1 /o. 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 178. 

— : . 


executaoje programming, 


Patent Specifications 


cxecuiaoje 


1V3 patent at z:>:3y-4© 




i yj patent at zo:j /-ol> 


912.8,91235, 721.34 


iy.5 patent at zy:z4-z_> 


*1Q7 mfont of 71>10 n 

jy.} patent at /jJU-j] 




lyj patent at /o.ov-o/ 




lyj patent at / / .3Zoo 




iyj patent at / /.duo_> 




k 1 Q7 notont qf 7 0 - £ 7 

lyj patent at /o.o-/ 




i patent at oj. iz-i o 




i"j patent at oj.^o-ho 




4 193 patent at 86:41-56 




4 193 patent at 110:60-111:8 




' 1 07 n^tpnt at 1 1 1 «Q 1 f\ 

i paiem ai 1 1 1 1 o 




1 1 07 «at*»r»t at 1 1 1 ♦7fL7,4 




4 193 patent at 126:30-31 




4 193 patent at 136:52-55 




'193 patent at 140:7-11 




4 193 patent at 141:42-56 




4 721 patent at 1:21-28 




4 721 patent at 5:34-39 




ill patent at o:/4-zo 




'912 patent at 329:16-24 




File Histories 




721 File History, 4/13/99 Amendment, p. 14. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 182. 
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I Claim Term / Phrase 


InterTrust Evidence 




H 

Citations from Sources Desienated bv Microsoft under PLR 4-2fb) 




Krol, The Whole Internet: User's Guide and Catalog (O'Reilly, 1992), p. 69. 




IBM Dictionary of CornDutinB ( McGraw Hill 1 9941 n 7 SO 




Microsoft Computer Dictionary. 2 nd ed (Microsoft Pres* 1094*1 n 1^3 I 




Encyclopedia of Computer Science and Engineering 2 nd eH fVan Nn^tranH ppir»fcr»M I 




1983), p. 1229. 

J 


1 execution space, execution space 


Patent Specifications 


identifier 


4 193 patent at 69:14-22 ! 




'193 patent at 69:33-35 j 


912.8 


'193 patent at 70:43-44 




'193 patent at 75:38-42 ! 




4 193 patent at 87:35-38 | 




'193 patent at 88:38-43 




4 193 natent at 104*30-44 




4 193 patent at 105:55-57 




4 193 patent at 106:38-43 " j 




4 193 natent at 1 07-31-47 




'193 patent at 107:63-108:7 j 




4 193 patent at 309:27-33 | 


! 


4 193 patent at 113:53-62 j 




*193 patent at 140:15-141:11 




'912 patent at 327:59-61 j 




4 912 patent at 327:65-67 j 




'721 patent at 3:16-19 




4 721 patent at 4:51-54 




*721 patent at 5:1-5 




4 721 patent at 8:34^0 




^ile Histories f 


| 




721 File History, 4/19/99 Amendment, p. 34. 


governed item 


Patent Specifications 1 


! 


4 683 patent at 24:33-39 


683.2 


'683 patent at 27:22-24 




'193 patent at 9:27-31 i 




4 193 patent at 15:46-50 




l 193 patent at 33:26-30 




4 193 patent at 58:48-57 




4 193 patent at 63:39-44 




i yj parent at o / : 2>o- j 1 




'193 patent at 76:37-41 




4 193 patent at 126:8-52 




4 3 93 patent at 128:41-46 




'193 patent at 139:60-140:1 




4 193 patent at 159:23-26 | 




'193 patent at 172:51-55 




l 193 patent at 174:15-29 1 
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Claim Term / Phrase 


InterTrust Evidence 




*193 patent at 241:17-26 
4 193 patent at 273:42-46 
•193 patent at 288:1 1-12 
•193 patent at 296:13-14 
•193 patent at 312:63-66 




File Histories 

•683 file history, 1 1/12799 Office Action, p. 13. 




USP 6,389,402 File History, 12/6/00 Office Action, pp. 2-3. 




USP 6,363,488 File History, 12/19/00 Office Action, p. 2. 




USP 6,427,170 File History, 3/3/01 Office Action, p. 4. 




Extrinsic Sources 

Wyatt, Computer Professional's Dictionary (Osborne McGraw-Hill, 1990), p. 101. 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 131 . 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 784. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 
Microsoft Computer Dictionary, 2 nd ed. (Microsoft Press, 1994), pp. 107-108. 




Microsoft Computer Dictionary, 3 rd ed. (Microsoft Press, 1997), p. 130. 




jvicrvujty, oecuruy on me internet, oiaiemeni jdciojc ujc ouoconiijun.ee on ocience, 
Committee on Science, Space, and Technology, U S House of Representatives (Mar. 
22, 1994), p. 9 ("Data Integrity - Verification that the contents of a data item (e.g., 
message, file, program) have not been accidentally or intentionally changed in an 
unauthorized manner"). 


halting 


Patent Specifications 
•900 patent at 154:34-40 


900.155 


Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 816. 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 
Dictionary of Scientific and Technical Terms, 5* ed. (McGraw-Hill, 1994), p. 898. 

The American Heritage Dictionary of the English Language (1969), p. 595. 

Dictionary of Computing, 3 rd ed. (Oxford, 1990), p. 201. 


host processing environment 
900.155 


Patent Specifications 
'900 patent at 21:1-17 
•900 patent at 49:31-48 
'900 patent at 78:30-40 
•900 patent at 87:32-46 
•900 patent at 96:6-18 
4 900 patent at 112:2-27 
l 900 patent at 112:48-52 

'193 patent at 13:7-23 
4 193 patent at 2 1:5-25 
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1 Claim Term /Phrase 


InterTrust Evidence 




'193 patent at 76:63-67 
4 193 patent at 79:30-46 
4 193 patent at 79:60-81:12 
'193 patent at 83:47-48 
'193 patent at 88:31-43 
lyj patenx ai l km .jy-on 
'193 patent at 105:25-39 
* 193 patent at 203:63-65 
'193 patent at 225:43-46 

'683 patent at 20:16-19 
'683 patent at 29:50-30:3 


1 identifier, identify, identifying 

193.11, 193.15,912.8,912.35, 
861.58 


Patent Specifications 
'193 patent at 25:31-38 
'193 patent at 68:22-25 
'193 patent at 85:59-63 
'193 patent at 88:31-43 
'193 patent at 131:33-45 
'193 patent at 135:54-58 
'193 patent at 140:35-50 
'193 patent at 207:27-35 
*193 patent at 233:35-41 
'193 patent at 268:28^2 
'193 patent at 270:12-21 
'193 patent at 280:58-66 
l 193 patent at 298:45-54 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 896. 
Citations from Sources Designated bv Microsoft under PLR 4-2(b) 


Cooper, Computer & Communications Security: Strategies for the 1990s, p. 375. 

Glossary of Telecommunications Terms (National Communications Systems, 1996), p. 
1-1. 


I including 

193.1 (at 320:63, and 321:3); 
193.19 (at 324:15); 

912.8 (at 327:36, 39, and 41); 
912.35 (330:35 and 39); 
861.58 (at 26:53 and 63); and 

683.2 (at 63:60). 


Patent Specifications 
'193 patent at 58:48-53 
193 patent at 126:62-65 
'193 patent at 133:62-134:14 
'193 patent at 136:53-56 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 913 
Citations from Sources Designated bv Microsoft under PLR 4-2(b) 


Webster's College Dictionary of Random House (1991), p. 680. 

Funk & Wagnalls Standard College Dictionary (1973-74), p. 680. 

Random House Dictionary of the English Language: College Edition (1968), p. 673. 

Webster's Ninth New Collegiate Dictionary (Merriam- Webster, 1 987), p. 609. 
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Claim Term / Phrase 


InterTrust Evidence 


information previously stored 
900.155 


Patent Specifications 

'900 patent at 239:15-55 
4 900 patent at 240:31-34 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 
The American Heritage Dictionary of the English Language (1969), p.1038. 

Webster's College Dictionary of Random House (1991), pp. 691, 1070. 


1 integrity programming 
900.155 


Patent Specifications 

'900 patent at 228:28-39 , 
'900 patent at 23 1:23-31 
'900 patent at 233:8-15 
'900 patent at 236:11-13 
'900 patent at 236:31-38 
'900 patent at 236:31-237:53 
'900 patent at 239:4-240:6 

'900 patent at 240:16-42 j 
'900 patent at 243:29-41 j 
'900 patent at 243:63-244:43 
'900 patent at 246:52-247:57 

Citations from Sources Desicrnafpri hv Mirmcnff imrio*> pt x> a o/k\ 


The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE, 1 993), 
pp. 304, 663. 

Russell et ah, Computer Security Basics (O'Reilly & Associates, 1991), p. 414. 
Neumann, Computer Related Risks (ACM Press, 1 995), p. 2. I 


key 
193.19 


Patent Specifications 

'193 patent at 12:35-39 

'393 patent at 22:1-14 j 
'193 patent at 49:3-4 
'193 patent at 59:16-18 
'193 patent at 67:26-31 

'193 patent at 119:17-18 I 
'193 patent at 129:30-35 ! 
'193 patent at 143:6-9 
'193 patent at 200:1-9 
'193 patent at 200:25-58 
'193 patent at 201:50-55 
'193 patent at 202:38-51 
M93 patent at 207:50-60 

'193 patent at 21 1:18-20 j 
'193 patent at 2 11:30-2 16:21 

Extrinsic Sources 

Mambo et al, A Tentative Approach to Constructing Tamper-Resistant Software, pp. 
23-24. ~ I 

Parks, Microsoft Corporation, Microsoft® Windows Media™ Device Digital Rights 
Manager v7. 1 (WM D-DRM): Overview And Design (WinHEC 2002 Presentation) 
slide 21. 

Davies, Security For Computer Networks: An Introduction to Data Security in 1 
Teleprocessing and Electronic Funds Transfer, Second Edition, (1984) p 1 13 ) 
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Claim Term / Phrase 


Inter Trust Evidence 




Howard et al, Writing Secure Code, Microsoft Press (2002), p. 175 

Europay International S. A., MasterCard International Incorporated, and Visa 
International Service Association, Integrated Circuit Card Specification for Payment 
Systems (June 30, 1 996), Page E-3 

The International Telegraph And Telephone Consultative Committee, Security 
Architecture For Open Systems Interconnection For Ccitt Applications, (1991), p.5 

Ehrsarn et al., A cryptographic key management scheme for implementing the Data 
Encryption Standard, IBM Systems Journal 17, No. 2, 106-125, pp. 128-130. 

Banking - Personal Identification Number management and security - Part 1 : PIN 
protection principles and techniques (International Organization of Standardization, 
ISO 9564- 1 1 99 1 - 1 2- 1 5, First Edition) pp. 3 and 20. 

USP 4, 1 68,396 (Best) at 2:7-9 

USP 5,509,070 (Schull) at 15:1-12 

htrp://rnsdn.nucrosoftxom/library/default.asp?url=/library/en- 
us/securiry/securiry/mffie_hellman_keys.asp (Oct. 2002) 

Diilie and Hellman, New Directions in Cryptography, IEEE Transactions on 
Information Theory, v.!T-22, n.6 (Nov. 1976), pp. 644-654. 

Schneier, Applied Cryptography, 2 ni ed. (Wiley, 1996), pp. 370-175, 189-21 1, 265- 
278,397-398,513-516. 

National Bureau of Standards, NBS FIPS PUB 81, DES Modes of Operation, US 
Department of Commerce (Dec. 1980). 

Telecom Glossary 2000, Technical Subcommittee on Performance and Signal 
Processing (American National Standard for Telecommunications, Feb. 2001), see 
entries for "derivation key," "key encrypting key pair," "key production key," "variant 
of a key," "key encrypting key," "master key," "linear key," "key type," "seed key." 
On the web at http://www.atis.org/tg2k/_derivation_key.htjrru 1 et seq. 

Citations from Sources Designated bv Microsoft under PLR 4-2(b) 


National Information System Security (INFOSEC) Glossary, NSTISSI No. 4009 (Sept. 
2000), p. 32. 

Glossary of Telecommunications Terms (National Communications Systems, 1996), 
pp.K-l,K-2,M-15. 

Shirey, Internet Security Glossary, Network Working Group, RFC 2828 (May 2000), 
p. 49. 

Freedman, The Computer Glossary: The Complete Illustrated Desk Reference, 6 th ed. 
(Computer Language Co., 1992), p. 297. 

Pfleeger, Security in Computing (Prentice Hall, 1989), p. 398. 

Cooper, Computer & Communications Security: Strategies for the 1990s (Intertext 
Publications/Multiscience Press, 1989), pp. 334-335. 
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I Claim Term / Phrase 



InterTrust Evidence 


load module 


Patent Specifications 




'193 patent at 17:15-21 


912.8, 721.1 


'193 patent at 18:28-33 


193 patent at 25:3 9-52 


1 


'193 patent at 25:57-63 




4 193 patent at 34:26-37 




'193 patent at 50:65 




'193 patent at 71:26-31 




'193 patent at 77:23-25 




'193 patent at 85:21-29 




'193 patent at 86:36-60 




'193 patent at 110:60-67 


| 


'193 patent at 111:59-65 




'193 patent at 126:15-31 




'193 patent at 136:52-60 




'193 patent at 139:14-142:38 


1 


'193 patent at 151:19-22 




'721 patent at 3:21-35 




'721 oatent at 4-5-9 




'721 patent at 4:22-42 




'721 patent at 5:26-39 




'721 patent at 14:39-60 




File Histories 




09/342,899 File History, 6/12/00 Office Action, p. 4 (citing USP 5,748,960 at 6:63- 




67); see also USP 5,748,960 at 1:33-52; 9:14-19; 1 1:15-25; 14:47-59; and 16:23-32. 




09/328,668 File History, 5/16/01 Office Action, p. 4. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 287. 


1 machine check programming 


Patent Specifications 




'900 patent at 231:23-31 


900.155 


'900 patent at 233:8-15 




'900 patent at 236:11-13 




'900 patent at 236:31-237:53 




'900 patent at 239:4-240:6 




'900 patent at 240:16-42 




'900 patent at 243:29-41 




'900 patent at 243:63-244:43 




'900 patent at 246:52-247:57 


: ; _. 

opening secure containers 


Patent Specifications 




'683 patent at 8:28-31 


683.2 


'683 patent at 9:59-61 




4 683 patent at 13:6 




*£C1 Triton* n« 1 C.jLI \C*A 

OoJ patent at J j:o/-1o:4 




4 683 patent at 18:42-49 




'683 patent at 42:34-52 




'683 patent at 49:31-38 




'683 patent at 56:17-25 




'193 patent at 183:24-25 




'193 patent at 184:6-22 
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Claim Term / Phrase 


Inter Trust Evidence 




'193 patent at 3 85:1 1-12 




'193 patent at 254:45-46 




Citations from Sources Designated by Microsoft under PLR 4-2(b) 




Encyclopedia of Computer Science and Engineering, 2 D< * ed. (Van Nostrand Reinhold, 




1983), p. 1051. 


operating environment 


Patent Specifications 




'193 patent at 34:37-41 


891.1 


4 193 patent at 34:54-59 


4 193 patent at 63:13-17 




Extrinsic Sources 




Webster's New World Dictionary of Computer Terms, 6 th ed. (1997), p. 370. 


organization, organization 


Patent Specifications 


information, organize 


4 861 patent at 5:57-6:7 




'861 patent at 7:54-58 


861.58 


4 861 patent at 10:38-53 


4 861 patent at 14:34-29 




4 861 patent at 28:34-43 




4 861 patent, Abstract 




4 193 patent at 33:43-49 




4 193 patent at 103:23-32 




4 393 patent at 127:17-19 


* 


4 193 patent at 232:63-233:1 




4 193 patent at 274:54-58 




4 193 patent at 294:41-45 




4 193 patent at 302:2-12 




4 193 patent at 309:4-9 


portion 


Patent Snecifirations 




4 193 patent at 23:66-24:2 


193.1, 193.11, 193.15, 193.19, 


4 193 patent at 24:41-43 


ylZ.5, yii.JD, 861.58 


4 193 patent at 46:22-24 


4 193 patent at 59:34-37 




4 193 patent at 128:49-55 




4 193 patent at 226:14-16 




'193 patent at 299:19-31 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1412. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 




Webster's College Dictionary of Random House (1991), p. 1052. 




Funk & Wagnalls Standard College Dictionary (1973-74), p. 1052. 


prevents 


Patent Specifications 




4 721 patent at 6:56-62 


721.34 






Extrinsic Sources 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1436. 




Citations from Sources Designated bv Microsoft under PLR 4-2(b) 
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Claim Term / Phrase 


InterTrust Evidence 




Webster's College Dictionary of Random House (1991), p. 1070. 




Random House Dictionary of the English Language: College Edition (1968), p. 1050. 


processing environment 


Patent Specifications 




* 193 patent at 13:17-23 


912:35, 900:155,721:34, 683.2 


4 193 patent at 75:65-76:9 


193 patent at 79:36-39 




4 721 patent at 1:23-28 




File Histories 




USP 5,915,019 File History, 4/15/98 Office Action, p. 4. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 383. 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




IBM Dictionary of Computing (McGraw Hill, 1994), p. 533. 


protected processing environment 


Patent Specifications 


721:34, 683.2 


4 193 patent at 13:7-14 




'193 patent at 13:17-23 




4 193 patent at 79:24-83:9 




*193 patent at 105:15-41 




l 193 patent at 223:30-225:19 




'193 patent at 226:43-57 




* 1 93 patent at 277:26-32 




*193 patent at 278:45-65 




' 193 patent at 283:44-46 




*193 patent at 291:39-49 




'193 patent at 298:9-10 




'193 patent at 318:1-5 




'683 patent at 12:59-61 




1 683 patent at 16:60-62 




683 patent at 29:5 1 -30:3 








'721 patent at 8:33-40 




File Histories 




*721 File History, 4/13/99 Amendment, p. 13. 


protecting 


Extrinsic Sources 




ine Amencan Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1456. 


683.2 




record (n.) 


Patent Snc^ifieatinns 




'193 patent at 134:54-58 


912.8,912.35 


•193 patent at 138:12-139:13 


l 193 patent at 264:20-57 




4 193 patent at 324:64-67 




File Histories 




'912 File History, 12/24/97 Office Action, pp. 2-3 (citing USP 5,629,980); see also 
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Claim Term / Phrase 


InterTrust Evidence 




USP 5,629,980 at 9:6-11:29. 

4 912 File History, 6/24/98 Amendment, pp. 73-74. 

4 912 File History, 9/22/98 Office Action, pp. 2-3 (citing USP 5,748,960); see also USP 
5,748,960 at 11:7-13 and 12:46-48). 

Extrinsic Sources 

Personal Computer Dictionary (1995), p. 149. 

Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE 1993) 
p. 1087. 

Hutt et al., Computer Security Handbook, 2 nd ed. (1987), p. 389. 

Telecommumcations: Glossary of Telecommunications Terms (National 
Communications Systems, 1996), p. R-10. 

Hansen, The Dictionary of Computing and Digital Media: Terms and Acronyms 
(1999), p. 261. 

Dictionary of Scientific and technical Terms, 5 th ed. (McGraw-Hill, 1994), p. 1664. 

Illustrated Dictionary of Computing, 2** ed. (Prentice Hall, 1992), p. 505. 

Laplante, Dictionary of Computer Science, Engineering and Technology (2001), p. 
410. 

Webster's New World Dictionary of Computer Terms, 4 th ed. (1992), p. 349. 

Longley et al., Information Security: Dictionary of Concepts, Standards and Terms 
(Stockton Press, 1992), p.437. 

IBM Dictionary of Computing (McGraw Hill, 1994), p. 561 . 

Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 

1 7o3)) p. I Z 


required 
912.8, 861.58 


i~tA.\t man ouui ics 

The American Heritapp Oirtinnarv "^H pH fH 011 ohton Mifflin n 1^3"} 

I itatfnnc frnm Qnnrppc T^pcitrnafpH hv Mirrncnft nnHor T*T 1? A *}(h%\ 
^_siaiIUI13 tl U III OUUI LC3 X/CMtiJiatCU UV J»litrU>On UllUcr 1 *r-jfc|[J/ 


Random Hoii^p Diptionarv of thp Fnolisli T^inoiiaop* P'oIIpop Prlitirvn ^1Q6R^ n 1171 


resource processed 


Patent Soecifications 




4 193 patent at 7:48-57 


891.1 


*193 patent at 21:5-25 




*193 patent at 29:3-8 




*193 patent at 38:60-39:8 




4 193 patent at 40:1-7 




4 193 patent at 57:49-51 




4 193 patent at 64:2-5 




4 193 patent at 69:63-65 




4 193 patent at 51:61 




4 193 patent at 72:39-44 




4 193 patent at 74:28-37 




4 193 patent at 75:5-8 
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Claim Term / Phrase 



Inter Trust Evidence 



4 193 patent at 75:15-30 
'193 patent at 75:42-47 
'193 patent at 76:61-77:11 
4 193 patent at 77:57-63 
'193 patent at 79:36-39 
* 193 patent at 79:50-54 
'193 patent at 79:64-67 
'193 patent at 80:9-12 
4 193 patent at 80:30-35 
4 193 patent at 81:14-19 
'193 patent at 81:32-35 
4 193 patent at 88:50-52 
4 193 patent at 89:49-55 
4 193 patent at 90:31-46 
4 193 patent at 91:12-25 
4 193 patent at 94:14-18 
4 193 patent at 100:32-35 
4 193 patent at 100:46-54 
4 193 patent at 101:38-42 
4 193 patent at 104:49-52 
4 193 patent at 104:59-64 
4 193 patent at 108:1-4 
4 193 patent at 141:49-55 
4 193 patent at 201:47-49 
4 193 patent at 201:57-58 
4 193 patent at 241:52-55 
4 193 patent at 252:60-62 
4 193 patent at 258:45-52 
4 193 patent at 276:53-58 
4 193 patent at 282:20-24 
4 193 patent at 283:23-28 
4 193 patent at 283:40-44 
4 193 patent at 284:16-28 
4 193 patent at 313:3-18 
4 193 patent at 314:33-39 

File Histories 

4 893 File History, 12/20/96 Office Action, p. 2. 

USP 6,363,488 File History, 12/19/00 Office Action, p. 2 



rule 

861.58, 683.2 



Patent Specifications 
4 683 patent at 6:11-22 
4 683 patent at 31:37-38 
4 683 patent at 15:22 
4 683 patent at 24:26-33 
4 683 patent at 45:60-63 
4 683 patent at 47:42-45 
4 683 patent at 54:29-37 
4 683 patent at 55:23-26 

4 193 patent at 53:53-59 
'193 patent at 59:1-5 
'193 patent at 149:24-40 
*193 patent at 241:11-14 
•193 patent at 241:29-36 
4 193 patent at 242:9-61 
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Claim Term / Phrase 


InterTrust Evidence 




' 193 patent at 243:4-7 




193 patent at 243:57-62 




193 patent at 253:9-30 




1 93 patent at 253:34-40 




193 patent at 253:46-49 




'861 patent at 1:53-60 




861 patent at 2:13-36 




ool patent at 6:19-23 




'861 patent at 15:66-16:9 




*861 patent at 18:2644 




4 861 patent at 20:38-51 




'861 patent, Abstract 




File Histories 




4 683 File History, 1 1/12/99 Office Action, pp. 4, 6 (citing USP 5,412,717 at 10:8-39); 




see also USP 5,412,717 at 2:24-48 and 12:24-44. 




USP 6,427,140 File History, 3/30/01 Office Action, pp. 3-4. 




USP 6,138,1 19 File History, 10/26/99 Office Action, p. 4. 




USP 6,138,1 19 File History, 4/26/00 Office Action, p. 9. 




App. No. 09/498,369, 5/30/02 Office Action, p. 3 (citing 5,765,152 patent at 4:61-5:4). 




USP 6,389,402 File History, 12/6/00 Office Action, pp. 2-3, 6 (citing USP 3,790,700 




and USP 5,629,980 at 23:37-42); see also USP 3,790,700 at 5:14-18, 35-46; and USP 




5,629,980 at 23:9-42. 


secure 


Patent Specifications 




4 193 patent at 8:1-7 


193.1, 193.11, 193.15,912.35, 


4 193 patent at 12:33-39 


861.58, 891.1,683.2, 721.34 


*1 93 patent at 13:54-57 


4 193 patent at 17:33-37 




4 193 patent at 17:67-18:5 




1 93 patent at 2 1 :26-29 




193 patent at 22:15-19 




1 93 patent at 4 1 :37-42 




193 patent at 42:8-16 




1 93 patent at 45: 1 9-32 




193 patent at 45:39-45 




1 93 patent at 45:52-59 




193 patent at 46:4-5 




1 93 patent at 49:33-55 




193 patent at 49:59-62 




193 patent at 59:48-59 




1 93 patent at 63:35-39 




193 patent at 63:48-64:47 




1 93 patent at 68:66-69:22 




4 1 93 natent at 7 1 -3 1 -40 




4 2 93 patent at 73:19-37 




4 193 patent at 81:12-19 




k 193 patent at 77:30-78:18 




4 193 patent at 80:22-81:19 




l 193 patent at 83:44-48 




'193 patent at 84:60-85:2 




'3 93 patent at 87:33-66 
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InterTrust Evidence 



4 193 patent at 88:36-43 
l 3 93 patent at 125:60-64 
'193 patent at 126:6-8 
'193 patent at 126:30-32 
4 193 patent at 199:36-200:9 
' 1 93 patent at 200:66-201 :4 
4 193 patent at 203:58-204:2 
4 193 patent at 216:22-217:12 
'193 patent at 221:1-37 
4 193 patent at 226:55-56 
'193 patent at 233:25-30 
'193 patent at 233:51-54 
'193 patent at 238:46-65 

4 721 patent at 1:19-28 

File Histories 



App. No. 09/328,668, 5/16/01 Office Action, p. 2 (citing USP 5,388,21 1 at 5:35^0). 
4 683 File History, 1 1/12/99 Office Action, p. 1 1. 
Extrinsic Sources 



Webster's New World Dictionary of Computer Terms, 6 th Edition ( 1 997), p. 463. 
Citations from Citati ons from Sources Designated by Microsoft under PLR 4-2(trt 



The New IEEE Standard Dictionary of Electrical and Electronic Terms (IEEE 1993) 
p. 1181. , * 

Cooper, Computer & Communications Security: Strategies for the 1990s, p. 383. 

Freedman, The Computer Glossary: The Complete Illustrated Desk Reference 
(Computer Language Co., 1992), p. 460. 

Dictionary of Computing, 3 rd ed. (Oxford, 1990), p. 406. 

Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), pp. 493-497. 

Landwehr, Formal Models for Computer Security, ACM Computer Surveys (Sept 3 
, 981),pp.247,253. ' 

Mullender, Distributed Systems, 2nd ed. (Addison-Wesley, 1993), p. 420. 

Hurt et aL, Computer Security Handbook, pp. 75, 201, 218, 221, 292-93. 

Hoffman, Modern Methods for Computer Security and Privacy (Prentice-Hall, 1977) 
p. 170. 

Garfinkel et aL, Practical Unix Security (O'Reilly & Associates, 1991), pp. 12-13. 
Neumann, Computer Related Risks (ACM Press, 1995), pp. 2, 96. 
Tanenbaum, Modern Operating Systems (Prentice Hall, 1992), p. 182. 



Patent Specifications 



'683 patent at 7:10-13 
'683 patent at 9:59-61 
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1 Claim Term / Phrase 


InterTrust Evidence 


912.35,861.58, 683.2 


'683 patent at 15:61-16:4 




'683 patent at 18:49-56 j 




'683 patent at 25:29-34 j 




'683 patent at 25:62-26:4 j 




'683 patent at 29:64-66 j 




'683 patent at 53:3-5 j 




'193 patent at 8:1-7 




'193 patent at 8:53-66 f 




'193 patent at 12:40-43 




'193 patent at 13:44-14:4 




'193 patent at 15:39-46 




'193 patent at 17:46-55 ! 




'193 patent at 19:15-32 




'193 patent at 22:20-25 \ 




'193 patent at 24:64-25:2 




'193 patent at 31:66-32:3 ! 




'193 patent at 33:24-26 


■ 


'193 patent at 34:13-49 j 




'193 patent at 43:26-32 1 




'193 patent at 52:55-56 




'193 patent at 58:37-59:5 




'193 patent at 103:47-58 




'193 patent at 104:12-28 ) 




'193 patent at 126:15-28 


j 


'193 patent at 127:2-134:23 




'193 patent at 128:11-21 j 




'193 patent at 189:25-29 j 




'193 patent at 241:5-15 j 




'193 patent at 264:40-49 




'193 patent at 274:54-61 j 




'107 r«;it#>Tit at 777- 1 1 1< 1 

i y j paieni ai / / / . j .3- 1 j J 




'193 patent at 284:8-16 




'193 patent at 291:29-33 




'193 patent at 292:27^7 j 




1 1 Q7 natpnt at 7fl1 -7£. <7 

j y*j paieni ai j\j i joo / j 




'193 patent at 313:33-36 




'193 patent at 314:43-49 




'193 natpnt at 3 1 7-^7 31 fi«JJ \ 




'861 patent at 2:12-16 \ 




'863 patent at 5:26-30 




'861 patent at 6:24-29 




pYtrincir ^mtrri>c 1 
ij* 1 ' Jiiait ouur Its t 




USP 5,634,019 at 7:34-49 




ivjjuju^uii v^ompuier uicuonary, jig ea. ^Microsoft rress, \yy /), p. 1 15. | 




lie Histories 




'683 File History, 1 1/32/99 Office Action, p. 4, 6, 32 (citing USP 5,412,717); see also 




USP 5,412,717 at 5:3-37. j 




'861 File History, 6/25/98 Office Action, p. 5 (citing USP 5,537,526); see also USP 




5,537,526 at 15:63-16:25. j 


1 


USP 6,363,488 File History, 12/19/00 Office Action, pp. 3-4. [ 
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1 Claim Term / Phrase 


InterTrust Evidence "j 




USP 6,237,786 File History, 7/17/00 Office Action, pp. 2-3 (citing USP 4 817 508V 
see also USP 4,817,508 at 8:61-9:2; 9:32-36; 19:8-26; and 21:39-55. ' 

09/764,370 File History, 1/18/01 Amendment, pp. 17-19. 

USP 6,427,140 File History, 3/30/01 Office Action, p. 3. 

09/8 1 9,063 File History, 9/27/00 Preliminary Amendment, pp. 21-22. 

09/498,369 File History, 5/30/02 Office Action, p. 3 (citing USP 5,765 152 at 4*61- 
5:4); see also USP 5,765,152 at Fig. 7D. 

USP 6,1 12,181 File History, 12/31/98 Office Action, p. 15 (citing USP 5,740,549 at 
16:45-54). 

USP 5 915 019 File Historv 4/1S/98 OfTirp Artirm n« ~\~a ticd c t * 1 
UW1 J)/iJ)Vi7 j ut jriidiui y y *t/ 1 jfyo Vylilvc /\CliOH, pp. ^citing Uor 5 311 591 at > 

2:14-46). ' ' 


1 secure container governed item 
683.2 


Patent Specifications 
'193 patent at 58:38-58 


1 secure database 
193.1, 393.11, 193.15 

1 

i 


Patent Sr>ecifications 

'193 patent at 50:54-55 
'193 patent at 51:1 1-40 
'193 patent at 62:66-63:7 

'193 patent at 69:56-62 j 
'193 patent at 71:28-40 

'193 patent at 72:14-25 ! 
'193 patent at 88:27-28 

* 193 patent at 90: 16-20 

* 1 93 patent at 1 00:2 1-101:31 j 
4 193 patent at 157:24-30 

'193 patent at 120:59-66 
'193 patent at 123:64-125:2 

1 193 patent at 126:6-67 j 

'193 patent at 142:67-143:46 

'193 patent at 148:34-43 

'193 patent at 153:33-154:49 

l 193 patent at 156:26-169:18 

'193 patent at 205:60-64 

'193 patent at 21 1:3-9 \ 
4 193 patent at 215:34-43 
'193 patent at 215:58-218:30 

'193 patent at 226:26-42 j 

File Histories 1 
09/342,899 File History, 6/1 2/00 Office Action, pp. 4-5. 

193 File History, 6/7/00 Office Action, p. 2 (citing USP 4,595,950); see also USP 
4,595,950 at 4:38-54; 8:52-68; and 14:49-15:11. 

683 File History, 11/1 2/99 Office Action, pp. 5-6. { 
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Claim Term / Phrase 


InterXrust Evidence 




'900 File History, 8/27/98 Office Action, p. 7 (citing USP 5,048,085 at 6:55-7:14). 




'900 File History, 12/9/97 Office Action, pp. 5, 10 (citing USP 5,655,077 at 3:60-67 




J 7 TOT") C c "7 O £TT\. _ ^ ^ —1-.— . T TCT> C dlCC />"7"7 _* a n A r rv t t Ton /- . . 

and USP 5,572,673); see also USP 5,655,077 at 4:24-59; and USP 5,572,673, Abstract. 




Extrinsic Sources 




Microsoft Computer Dictionary, 3" 1 ed. (Microsoft Press, 1997), p. 129. 




Wyatt, Computer Professional's Dictionary (Osborne McGraw-Hill, 1990), p. 98. 




Citations from Sources Designated bv Microsoft under PLR 4-2fb) 




Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 




3983), p. 441. 




Hansen, The Dictionary of Computing and Digital Media: Terms and Acronyms 




(1999), p. 74. 


secure execution space 


; : 

Patent Specifications 




*771 natpnt at A. 


721.34 


/zi patent at o.4yoz 




/zi patent at /.14-z.) 




ill patent at o.33-4U 


secure memory, memory 


Patent Specifications 




193 patent at 13:7-14 j 


193.1, 193.11, 193.15 


1 93 patent at 21:1 7-42 


1 93 patent at 22: 15-19 




193 patent at 23:43-50 




193 patent at 32:15-21 




1 93 patent at 49: 15-17 




193 patent at 49:33-55 




193 patent at 59:42-59 




1 93 patent at 60: 1-3 i 




1V3 patent at o2:l4-/4 




jyj patent at oz:43-j/ 




1V3 patent at 03:oU-o4::> 




iyj patent at oj.o4-oo:4 




1V3 patent at oy.i4-/z 




lyj patent at oy.z^-jl 




1 1 07 mtpnt of AO'<ii <0 

iyj patent at oy.->4oy 




MQ7 natMit at AO-A^ 71-47 

i7 j paieni ai oy.oj-/i.4/ 




iio paieni ai /i.4o-ou 




4 tQ7 nat*>nt at 77*^7 77*77 

i7j paieni at 




4 1 07 notAnt of 70- AH 8 1 • 1 1 

i7j paieni ai /y.ou-oi.i i 




M 07 natpnt at Rl • 1 7 10 

i ✓ j paieni ai oi.iz-iy 




4 107 rvatpnt at 8R«A7 A£ 

lio paieni ai oo.oz-oo 




4 1 Q7 nofprtt *t \CmA'AQ &A 

i7 j paieni at iU4.4y-04 




i y j paieni ai iv/y./4-ou 




iso paieni ai iiu.4/-4y 




*193 patent at 111:12-16 




•193 patent at 120:60-63 




M93 patent at 121:41-43 




4 193 patent at 125:60-67 




4 193 patent at 169:3-12 




4 193 patent at 206:8-11 




4 193 patent at 216:56-217:20 




4 193 patent at 218:4-15 
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Claim Term / Phrase 


1 InterTrust Evidence 




File Histories 

4 900 File History, 6/9/98 Amendment, pp. 7-8. 

'900 File History, 8/27/98 Office Action, p. 3 (citing USP 5,048,085 at 6:61-7: 14). 




09/698,044 File History, 10/27/00 Amendment, p. 34. 




09/272,998 File History, 10/1 1/01 Office Action, p. 3. 




Extrinsic Sources 

Microsoft Computer Dictionary, 3rd ed. (Microsoft Press, 1997), p. 302. 1 




The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), pp. 1 126, 1631- 
1632. . 




Citations from Sources Designated bv Microsoft under PLR 4-2fb> ! 

Cooper, Computer & Communications Security: Strategies for the 1990s, p. 386. j 




Hansen, The Dictionary of Computing and Digital Media: Terms and Acronyms 
(1999), p. 329. 




Dictionary of Scientific aind Technical Terms, 5 th ed. (McGraw-Hill, 1994), p. 2136. 




Webster's Ninth New Collegiate Dictionary (Merriam- Webster, 1 987), p. 1 3 1 7. 




Encyclopedia of Computer Science and Engineering, 2 nd ed. (Van Nostrand Reinhold, 
1983), p. 968. " | 


jcliuc upciduug cij vii onjncni, 
said operating environment 

891.1 I 


Patent Specifications 
4 193 patent at 13:37-41 

4 193 patent at 69:33-35 | 
4 193 patent at 83:44-48 

File Histories 

'912 File History, 12/24/97 Office Action, p. 3. j 


securely applying 
891.1 


Patent Specifications i 

'193 patent at 9:40-45 1 

4 193 patent at 18:60-19:1 

4 193 patent at 19:13-21 

'193 patent at 22:48-58 

'193 patent at 26:59-67 

4 193 patent at 28:8-15 

4 193 patent at 30:38-41 j 
4 193 patent at 30:55-65 j 
4 193 patent at 33:10-24 j 
4 193 patent at 33:30-37 \ 
4 193 patent at 43:41-43 

4 193 patent at 45:7-9 ' j 
'193 patent at 54:36-38 

4 193 patent at 57:27-28 j 
4 193 patent at 59:34-37 j 
4 193 patent at 120:15-18 j 
'193 patent at 283:33-39 

4 193 patent at 299:39-51 j 
4 193 patent at 300:6-30 ! 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 308:1-7 


securely assembling 


Patent Specifications 




'193 patent at 25:57-26:12 


912.8,912.35 


4 193 patent at 83:43-85:39 


4 193 patent at 86:66-88:21 




'193 patent at 1 12:46-1 13:62 




'193 patent at 115:43-116:51 




4 193 patent at 126:34-36 




4 193 patent at 138:32-36 




4 193 patent at 159:61-160:8 




4 193 patent at 250:21-34 




4 1 93 Datent at 260-36-47 


securely processing 


Patent Specifications 




4 19^ natpnfat 79*74-81-1? 


891.1 


'193 Datent at 104 3 9-64 


4 193 Datent at 105*15-20 




File Ffictnripc 




'900 File Historv 1 2/9/97 Office AcrinrL r> 6 f citino T S 4Rfi fi??V qpp alcn T 1<nP ! 




5 486 622 Abstract 


securely receiving 


Patent Specifications 




4 193 patent at 5:4-6 


891.1 


'193 patent at 12:33-39 


4 193 patent at 13:54-57 




'193 patent at 55:52-54 




'193 patent at 57:27-36 




'193 patent at 60:33-48 




4 193 patent at 62:32-39 




4 193 patent at 67:21-52 




4 193 patent at 68:65-69:11 




4 3 93 patent at 75:65-76:1 




4 193 patent at 76:10-32 




4 193 patent at 77:30-44 


- 


4 193 patent at 81:26-32 


- 


4 3 93 patent at 83:53-84 




4 193 patent at 91:38-51 




'193 patent at 96:1-5 




4 193 patent at 96:12-17 




4 193 patent at 101:54-102:25 




4 193 patent at 102:41-51 




4 193 patent at 104:29-37 




4 193 patent at 1 18:64-1 19:42 




4 193 patent at 123:22-28 




4 193 patent at 123:50-56 




'193 patent at 155:51-156:2 




4 193 patent at 160:65-161:51 




4 193 patent at 162:39-65 




'193 patent at 162:66-163:35 




*193 patent at 200:66-201:42 




4 193 patent at 21 1:39-212:10 




4 193 patent at 214:57-67 




'193 patent at 218:31-220:19 • 
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j Claim Term / Phrase 


I InterTrust Evidence 




193 patent at 225:50-226:36 




1 193 patent at 227:25-228:30 




'193 patent at 233:25-32 




'193 patent at 282:56-61 




'193 patent at 283:61-65 


j 


'193 patent at 290:46-62 




'891 patent at 322:56-63 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed (Houghton Mifflin, 1992), p. 3508. 


I security level, level of security 


1 Patent Specifications 




*72I patent at 6:16-62 


721 1* 721 34 912 8 


721 patent at 16:38-17:5 


'721 patent at 17:24-40 




'721 patent at 18:44-19:10 




'721 patent at 19:24-32 




'193 patent at 140:15-141:11 


1 tamper resistance 


1 Patent Specifications 




4 721 patent at 3:16-19 


I 771 1 7?i id. onn 


'721 patent at 4:40-42 


'721 patent at 5:1-6 




'721 patent at 6:25-30 




'721 patent at 6:34-41 




'721 patent at 6:53-56 




'721 patent at 16:38-17:5 




'193 patent at 20:53-57 




'193 patent at 2 1:23-37 




'193 patent at 22:1-6 




4 193 patent at 49:15-31 




'193 patent at 59:48-59 




'193 patent at 63:60-64:5 




'193 patent at 73:30-31 




1 93 patent at 77:34-38 


* 


'193 patent at 80:22-81:11 


I 


'193 patent at 87:41-60 


| 


'193 patent at 110:47^9 


| 


'193 patent at 114:57-62 


I 


'193 patent at 120:59-121:1 




'193 patent at 130:28-33 




1 y5 patent at 2 1 8:33-63 


I 


4 683 patent at 3:27-34 


• 


'683 patent at 5:1 1-17 




'683 patent at 8:9-10 




4 683 patent at 16:58-62 




'683 patent at 20:16-19 




'683 patent at 29:55-30:3 




File Histories 




'900 File History, 32/9/97 Office Action, p. 9 (citing USP 4,864,494, Abstract; 4 13- 




40; 6:21-65; and 7:15-47). 
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Claim Term / Phrase 


Inter Trust Evidence 




'900 File history, 8/27/98 Office Action, p. 3 (citing USP 5,048,085); see also USP 
5,048,085 at 6:55-7:19 

USP 5,917,912 File History, 9/22/98 Office Action, p. 4. 

'683 File History, 1 1/12/99 Office Action, p. 5 (citing USP 5,499,298, Abstract and 
6:45-7:9). 

Extrinsic Sources 

Kent, Protecting Externally Supplied Software in Small Computers, Doctoral Thesis 
(Sept. 22, 1980), p. PA00000362. 

Aucsmith, Tamper Resistant Software: An Implementation (1996), p. PA00002323 

Mambo et al., A Tentative Approach to Constructing Tamper-Resistant Software, 
School of Information Science, Japan Advanced Institute of Science and Technology, 
1-1 Asahidai Tatsunokuchi Nomi, Ishikawa, p. PA00005363 

USP 5,594,227 at 2:42-48. 

Citations from Sources Designated bv Microsoft under PLR 4-2fb) 


Hensley et al., SCP Software Protection User's Guide (Sept. 18, 2000), pp. MSI 140484 
-MSI 140485. 


tamper resistant barrier 
721.34 


Patent Specifications 
'721 patent at 5:1-6 

'193 patent at 59:48-59 
4 193 patent at 63:47-64:5 
' 193 patent at 64:13-31 
4 193 patent at 71:32-40 
'193 patent at 79:49-50 
4 193 patent at 80:22-65 

File Histories 

'721 File History, 4/13/99 Amendment, p. 14. 
09/272,998 File History, 10/1 1/01 Office Action, p. 3. 
'900 File History, 8/27/98 Office Action, p. 3. 


tamper resistant software 
900.155 


Patent Specifications 
'900 patent at 87:61-88:33 
'900 patent at 230:57-65 
'900 patent at 233:24-33 
'900 patent at 235:27-236:29 

'683 patent at 29:50-30:3 

Extrinsic Sources 

Aucsmith, Tamper Resistant Software: An Implementation (1996), p. PA00002323 

Mambo et al., A Tentative Approach to Constructing Tamper-Resistant Software, 
School of Information Science, Japan Advanced Institute of Science and Technology, 
1-1 Asahidai Tatsunokuchi Nomi, Ishikawa, p. PA00005363 

USP 5,991,399 at 4:14-23; 5:47-55. 
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Claim Term / Phrase 



Inter Trust Evidence 



use 



912.8,912.35, 861.58, 193.19, 
891.1, 683.2, 723.1 



Patent Specifications ™~ 

'683 patent at 63:35-67 
4 193 patent at 324:8-37 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1966 



user controls 
683.2 



File Histories 

4 683 File History, 1 1/12/99 Office Action, p. 4. 



validity 
912.8 



Patent Specifications 



4 193 patent at 38:27-29 
4 193 patent at 41:37-42 
4 193 patent at 67:56-60 
'193 patent at 77:30-41 
4 193 patent at 78:6-14 
4 193 patent at 85:42-67 
4 193 patent at 87:52-62 
193 patent at 111:59-112:12 
4 193 patent at 112:37-59 
4 193 patent at 119:66 
4 193 patent at 120:59-121:3 
4 193 patent at 137:54-67 . 
4 193 patent at 152:10-37 
4 193 patent at 152:40-153:8 
4 193 patent at 157:42-45 
'193 patent at 157:57-67 
193 patent at 164:35-40 
193 patent at 217:51-52 
193 patent at 218:1-15 
193 patent at 220:47-52 
193 patent at 318:59-62 



virtual distribution environment 



900.155 



Patent Specifications 
4 900 patent at 2:19-31 
4 900 patent at 2:51-56 
'900 patent at 3:18-45 
4 900 patent at 3:60-4:4 
4 900 patent at 4:10-13 
4 900 patent at 4:45-5:45 
4 900 patent at 6:29-42 
4 900 patent at 7:10-12 
4 900 patent at 7:34-8:7 
'900 patent at 8:58-9:2 
4 900 patent at 9:8-58 
4 900 patent at 11:36-47 
4 900 patent at 13:26-49 
4 900 patent at 13:58-62 
4 900 patent at 21:41-46 
4 900 patent at 43:43-46 
4 900 patent at 43:57-44:6 
4 900 patent at 46:48-52 
'900 patent at 48:65-49:2 
4 900 patent at 50:1-3 
4 900 patent at 50:30-32 
4 900 patent at 53:39-54:36 
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Claim Term / Phrase 


InterTrust Evidence 




*Qnn r»atp>nf at *\^-A7 4 

y\J\J UdlCUl dl JJ.Dj*JD.J 




yv/v UdlCiil al -JO.UO-J / .O 




4 900 patent at 57:15-17 




4 900 patent at 61:19-21 




'900 natpnt at K7-n1-R°.-47 

7W pa I till dl 0/.UJ*OO. i t/ 




*900 natpnt at 780*Q-4fi 




4 900 patent at 302:17-24 




c 900 patent at 303:40-61 




yuu patent at jiooo-hj 




4 900 patent, Abstract 




'107 natpnt at 17-4/^ 

iyj paiem ai ij.^o-ju 




'193 patent at 13:54-57 




4 193 patent at 16:49-56 




File Histories 




4 721 File History, 4/13/99 Amendment, p. 13. 




4 891 File History, 9/25/96 Office Action, pp. 1-3. 




4 891 File History, 6/20/97 Amendment, p. 1 . 




USP 5,915,019 File History, 1/8/97 Amendment, p. 1. 


'193:1 




xcLciving a ujgiuti iue inciuoiDg 


— — — : . 

Patent Specifications 


music 


i yj patent at l ,4o-j2 




J ys patent at ].oI-o3 




iyj paient at j.zo-zy 




l yj patent at y : I 1 y 




patent at izo-jy 




1 7 j paiem ai iz.h/-ij.o 




* 1 Q7 not *>+ 1/1. TO 

iyj patent at J j.34-J4:zo 




i7j paiem ai i^jj-^o 




iyj patem at io.z->-4U 




i?j paiem ai j / .hood 




lyj patent at jo.iu-1h 




iyj patent at j 0.01-04 




M 07 natpnt -at 77» 1 1 A - 

iyj paiem ai zz.j-i** 




M07 natpnt at 71*^? ^7-« 97-^1 lA-^1 ?^'7ft 




1 1 07 natpnt at 78-47 S ^ 




'107 natpnt at 4*5-10 97 
i yj palCDl dl Hj . J y-L / 




1 1 07 natpnt at A S -70-4 ^ 




4 193 natpnt at 46 




"197 natpnt at S?-66-^7-8 

i pdlCill dl JZ.DO'Jj.O 




'19^ natpnt at ^7-17-9? 




'197 natpnt at S7-77 77 




'197 natpnt at ^7-4^ ^0 
■ ?j pdiciii ai jj.Hj*j7 




M93 natpnt at ^4-^1 -SB 




4 193 patent at 55:21-56:24 




4 193 patent at 57:33-39 




4 193 patent at 58:59-64 




4 193 patent at 59:39-42 




'193 patem at 60:37-48 




4 193 patent at 62:27-42 




4 193 patent at 63:32-39 




4 193 patent at 64:48-51 
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Claim Term / Phrase 


InlerTrust Evidence 




'193 patent at 65:8-14 




4 193 patent at 67:31-52 




'193 patent at 68:65-69:12 




'193 patent at 74:51-53 




'193 patent at 75:23-28 




'193 patent at 75:65-76:32 




4 193 patent at 81:26-32 




'193 patent at 83:53-63 




'193 patent at 90:1-33 




'193 patent at 90:38-46 




'193 patent at 91:26-51 




'193 patent at 96:1-7 




'193 patent at 96:12-24 ' 




'193 patent at 98:66-99:3 




'193 patent at 99:28-35 




'193 patent at 101:54-102:61 




'193 patent at 104:29-37 




'193 patent at 105:23-39 




'193 patent at 115:13-21 




'193 patent at 115:26-29 




'193 patent at 123:51-55 




'193 pa tent at 130:13-54 




'193 patent at 133:39-134:23 




'193 patent at 135:31-42 




'193 patent at 153:53-156:47 




'193 patent at 161:7-162:65 




'193 patent at 170:41-172:13 




'393 patent at 172:63-177:53 




* 193 patent at 178:49-179:55 




'193 patent at 234:59-67 




'193 patent at 218:33-220:19 




4 193 patent at 220:53-67 




'193 patent at 222:4-11 




'193 patent at 225:22-226:36 




'193 patent at 227:25-45 




'393 patent at 231:32-59 




'193 patent at 233:25-47 




'193 patent at 234:36-43 




'193 patent at 234:65-235:1 




'193 patent at 235:13-38 




'193 patent at 243:51-244:48 




'193 patent at 254:30-34 


- 


'193 patent at 254:59-65 




'193 patent at 264:29-49 




'193 patent at 266:52-267:45 




'193 patent at 273:42-53 




'193 patent at 277:10-17 




' 3 93 patent at 279:42-53 




'193 patent at 282:10-61 




lyj patent at zoJ./^-^o 




'193 patent at 283:56-284:42 




'193 patent at 288:43-60 




'393 patent at 289:14-27 




'193 patent at 290:30-62 




'193 patent at 313:33-41 




'193 patent at 313:58-67 




'193 patent at 315:24-28 
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Claim Term / Phrase 


InterTrust Evidence 




* 193 patent at 316:3-6 




4 193 patent at 316:16-317:19 




•193 patent, Figs. 1, 1A, 2, 2A, 3, 7, 8, 9, 9A, 10, 12, 13, 16, 39, 20, 21, 27, 28, 30, 31, 




35, 36, 37, 38, 41a, 41b, 41c, 41d, 67, 69, 69A, 70, 71,74, 77 78 79 80 81 82 83 




84, 85, 86, and 87 


- 


See "Receiving a digital file" (193.1 1); Securely Receiving 




Extrinsic Sources 




The American Heritage Dictionary, 3d ed. f Houehton Mifflin 1 n 1 ^08 


a budget specifying the number of 


Patent Specifications 


copies which can be made of said 


l 193 patent at 48:29-35 


digital file 


4 193 patent at 133:39-50 




\193 patent at 143:38-144:32 




'193 patent at 162:39-65 




4 393 patent at 172:61-174:29 




4 193 patent at 220:20-40 




See "Digital file versus a copy," below. 


controlling the copies made of 


Patent Specifications 


said digital file 


4 1 93 patent at 48:29-35 




*1 93 patent at 81:4-12 




*193 Datent at 102*26-40 




4 1 93 natent at 133-39-134-23 




4 193 patent at 140:37-50 




4 193 patent at 143:39-144:31 




4 193 patent at 172:38-48 




lyj patent at 172:61-174:29 




4 193 patent at 203:58-67 




4 1 93 patent at 212:65-213:36 




4 193 patent at 229:45-232:3 




4 193 patent at 235:39-236:25 




4 193 patent at 263:46-264:4 




4 193 patent at 279:42-60 




See Protected Processing Environment 


determining whether said digital 


Patent Specifications 


file may be copied and stored on a 


4 193 patent at 48:12-35 


second device based on at least 


4 193 patent at 102:26-40 


said copy control 


4 193 patent at 333:39-50 




'193 patent at 220:20-40 




4 193 patent at 263:46-264:57 




4 193 patent at 265:9-38 




4 193 patent at 278:9-25 




4 193 patent at 279:42-60 




4 193 patent at 336:16-317:19 




4 193 patent at 322:65-66 




4 193 patent at 323:4-7 




4 193 patent at 323:50-324:7 




4 193 patent at 325:32-35 


if said copy control allows at least 


Patent Specifications 


a portion of said digital file to be 


4 193 patent at 48:12-35 


copied and stored on a second 


l 193 patent at 102:26-40 



39 



1 Claim Term / Phrase 


InterTrust Evidence 


1 device 


'193 patent at 133:39-50 




4 193 patent at 220:20-40 




'193 patent at 263:46-264:57 




'193 patent at 265:9-37 




'193 patent at 278:9-25 


j 


4 193 patent at 279:42-60 




4 193 patent at 316:16-317:19 




4 193 patent at 322:65-66 




4 193 patent at 323:4-7 




4 193 patent at 325:32-35 


I copying at least a portion of said 


Patent Specifications 


digital file 


4 193 patent at 48:12-34 




4 193 patent at 133:39-50 


| 


4 193 patent at 220:20-40 




4 193 patent at 264:28-57 




4 193 patent at 278:9-25 




4 193 patent at 316:16-317:19 




l 193 patent at 322:65-66 


j 


4 193 patent at 323:4-7 




4 193 patent at 325:32-35 


I transferring at least a portion of 


Patent Specifications 


said digital file to a second device 


4 193 patent at 38:4-9 




4 193 patent at 48:12-43 




4 193 patent at 65:24-38 




4 193 patent at 68:51-61 




4 193 patent at 72:1-9 




4 193 patent at 133:39-50 


1 


4 193 patent at 162:10-15 




4 193 patent at 167:43-43 




4 193 patent at 220:21-40 




4 193 patent at 226:11-16 




4 193 patent at 237:34-47 




4 193 patent at 252:51-58 




4 193 patent at 264:28-57 




4 193 patent at 278:9-25 




'193 patent at 316:16-317:19 




4 193 patent at 322:65-66 




4 193 patent at 323:4-7 




4 193 patent at 324:8-37 




4 193 patent at 325:32-40 




See "Storing information associated with said digital file in a secure database stored on 




said first device, said information including at least one control" (193.15) 


stonng said digital file 


Patent Specifications 


j 


4 193 patent at 88:24-30 




1 y 5 patent at yy : /- 1 o 




4 193 patent at 102:43-62 • 




4 193 patent at 127:41-62 




4 193 patent at 134:10-14 




4 193 patent at 153:50-154:16 




4 193 patent at 229:45-231:31 




*193 patent at 289:5-8 




l 193 patent at 289:14-19 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 289:65-66 


'193:11 




receiving a digital file 


Patent Specifications 
4 193 patent at 52:66-53:8 
'193 patent at 55:39-56 
'193 patent at 60:37^8 
'193 patent at 102:41-61 
'193 patent at 133:39-134:23 
'193 patent at 282:29-63 
j "J paieni ax j i o. i oo i / . i y 
'193 patent at 323:14-40 

Extrinsic Sources 

The American Herita ce Dictionary 3d ed fHouphton Mifflin IQQ?^ r» l^fiR 
See "Receiving a digital file including music" ('193.1) 


determining whether said digital 
file may be copied and stored on a 
second device based on said first 
control 


See "Determining whether said digital file may be copied and stored on a second 
device based on at least said copy control" ('193.1). 


identifying said second device 


Patent Specifications 
'193 patent at 42:8-20 
'193 patent at 47:49-57 
I y5 patent at 8 1 :4- 1 1 
'193 patent at 203:58-67 
'193 patent at 212:65-213:36 
'193 patent at 230:22-27 
'193 patent at 279:42-60 

See Identify and Identifier 


whether said first control allows 
transfer of said copied file to said 
second device 


Patent Specifications 
'193 patent at 48:28-34 
'193 patent at 102:26-40 
'193 patent at 263:46-264:49 
'193 patent at 265:9-38 
'193 patent at 279:42-60 
'193 patent at 316:16-317:19 

See "Determining whether said digital file may be copied and stored on a second 
device based on at least said copy control" ('193.1) 


said determination based at least 
in pan on the features present at 
me aevice 


Patent Specifications 
'193 patent at 42:8-20 
' 1 93 patent at 47:49-57 
'193 patent at 81:4-1 1 
'193 patent at 203:58-67 
'193 patent at 212:65-213:36 
'193 patent at 230:22-27 
'193 patent at 279:42-60. 


if said first control allows at least 


Patent Specifications 
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j Claim Term / Phrase 


InterTrust Evidence 


j a portion of said digital file to be 
copied and stored on a second 
device 


4 193 patent at 48:28-35 
4 193 patent at 102:26-40 

4 193 patent at 263:46-264:57 j 
4 193 patent at 265:9-38 

4 193 patent at 279:42-60 j 
4 193 patent at 316:16-317:39 

See "If said copy control allows at least a portion of said digital file to be copied and 
stored on a second device** ( 4 1 93 . 1 ). 


1 copying at least a portion of said 
digital file 


See "Copying at least a portion of said digital file" ( 4 193.1) 1 


I transferring at least a portion of 
said digital file to a second device 


Patent Specifications 
'193 patent at 38:4-9 
4 193 patent at 65:24-38 
4 193 patent at 68:51-61 

'193 patent at 72:3-9 | 

4 193 patent at 162:10-15 

4 193 patent at 167:41-43 

'193 patent at 226:1 1-16 

4 193 patent at 237:34-47 

4 1 93 Datent at 252-5 1 -58 

4 193 patent at 324:8-37 

4 193 patent at 325:32-40 ! 

See 'Transferring at least a portion of said digital file to a second device" (1 93.1); and 
"Storing information associated with said digital file in a secure database stored on | 
said first device, said information including at least one control" (193.15) 


j storing said digital file 


See "Storing said digital file" ( 4 3 93.3) j 


'193:15 




receiving a digital file 


Patent Specifications 
4 193 patent at 52:66-53:8 
4 193 patent at 55:39-56 

4 193 patent at 60:37-48 1 

4 193 patent at 102:41-61 

4 193 patent at 133:39-134:23 

4 193 patent at 282:29-61 

4 193 patent at 316:16-317:19 

See "Receiving a digital file" ( 1 93. 1 1 ) 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 1508. 


| an authentication step comprising: 


Patent Specifications 
4 193 patent at 42:8-20 

4 193 patent at 47:49-57 | 
•193 patent at 81:4-11 
4 193 patent at 123:24-62 
4 193 patent at 203:58-67 
•193 patent at 212:66-213:36 
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Claim Term / Phrase 


Inter Trust Evidence 




1 93 patent at 230:22-27 




193 patent at 278:9-25 




193 patent at 279:41-60 


accessing at least one identifier 


Patent Specifications 


associated with a first device or 


'193 patent at 25:31-38 


with a user of said first device 


'193 patent at 42:8-20 




* 3 93 patent at 47:49-57 




•193 patent at 81:4-11 




4 193 patent at 123:23-62 




4 193 patent at 203:58-67 




1 1 93 patent at 2 1 2 :65-2 1 3:36 




4 193 patent at 230:22-27 




4 193 patent at 278:9-25 




4 193 patent at 279:41-60 




See Identifier 


determining whether said 


Patent Specifications 


identifier is associated with a 


4 193 patent at 42:8-20 


device and/or user authorized to 


'193 patent at 47:49-57 


store said digital file 


4 193 patent at 81:4-12 




'193 patent at 123:24-62 




'193 patent at 192:3-57 




'193 patent at 203:58-67 




'193 patent at 212:65-213:36 




'193 patent at 230:22-27 




'193 patent at 278:9-25 




'193 patent at 279:42-60 


storing said digital file in a first 


Patent Specifications 


secure memory of said first 


'193 patent at 42:8-20 


device, but only if said device 


'193 patent at 47:49-57 


and/or user is so authorized, but 


'193 patent at 81:4-12 


not proceeding with said storing if 


'193 patent at 123:24-62 


said device and/or user is not 


'193 patent at 192:3-57 


authorized 


' 1 93 patent at 203 :58-67 




'193 patent at 2 1 2 :65-2 1 3 :3 6 




lift") . - «■« f\ *\ »\ r\ *y 

1 93 patent at 230:22-27 




193 patent at 278:9-25 




lyi patent at 2 79:42-60 


storing information associated 


Patent Specifications 


with said digital file in a secure 


'193 patent at 19:15-32 


database stored on said first 


'193 patent at 22:20-25 


device, said information including 


'193 patent at 126:15-37 


at least one control 


'193 patent at 153:50-67 




'193 patent at 156:53-58 




'193 patent at 292:19-47 


determining whether said digital 


See ''Determining whether said digital file may be copied and stored on a second 


file may be copied and stored on a 


device based on at least said copy control" (' 193. 1) and "Storing information 


second device based on said at 


associated with said digital file in a secure database stored on said first device, said 


least one control 


information including at least one control" (193.15). 
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Claim Term / Phrase 



InterTrust Evidence 



if said at least one control allows 
at least a portion of said digital 
file to be copied and stored on a 
second device, 



Patent Specification — — 

'193 patent at 48:28-34 
'193 patent at 102:26-40 
'193 patent at 263:46-264:49 
*193 patent at 265:9-38 
'193 patent at 279:42-60 
4 193 patent at 316:16-317:19 

See "If said first control allows at least a portion of said digital file to be copied and 
stored on a second device" ('193.1 1); "If said copy control allows at least a portion of 
said digital file to be copied and stored on a second device" (193.1); and "storing 
information associated with said digital file in a secure database stored on said first 
device, said information including at least one control" (193.15). 



copying at least a portion of said 
digital file 



See '^Copying at least a portion of said digital file" ('193.1) and "Storing information 
associated with said digital file in a secure database stored on said first device, said 
information including at least one control" ( 1 93 . 1 5). 



transferring at least a portion of 
said digital file to a second device 



Patent Specifications 



storing said digital file 



'193:19 



receiving a digital file at a first 
device 



l 193 patent at 38:4-9 
193 patent at 65:24-38 
l 193 patent at 68:53-61 
'193 patent at 72:1-9 
'193 patent at 162:10-15 
'193 patent at 167:41-43 
'193 patent at 226:11-16 
'193 patent at 237:34-47 
'193 patent at 252:51-58 
'193 patent at 324:8-37 
'193 patent at 325:32-40 

See "Transferring at least a portion of said digital file to a second device" (193.1); and 
"Storing information associated with said digital file in a secure database stored on 
said first device, said information including at least one control" (193.15). 



See "Storing said digital file" ( 4 193.1). 



establishing communication 
between said first device and a 
clearinghouse located at a location 
remote from said first device 



Patent Specifications 
'193 patent at 52:66-53:8 
'193 patent at 55:39-56 
'193 patent at 60:37-48 
'193 patent at 102:41-61 
'193 patent at 333:39-134:23 
4 193 patent at 282:29-61 
'193 patent at 316:16-317:19 

See "Receiving a digital file" (193.1 1) 

Extrinsic Sources 



The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992), p. 3508. 



Patent Specifications 



'193 patent at 1:46-52 
4 193 patent at 1:60-63 
*193 patent at 3:25-29 
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'193 patent at 9:13-17 j 




'193 patent at 12:5-39 




'193 patent at 12:47-13:6 




'193 patent at 13:54-14:28 




'193 patent at 14:31-48 




'193 patent at 16:25-40 




'193 patent at 17:46-56 




'193 patent at 18:10-14 




'193 patent at 18:60-64 




'193 patent at 22:1-14 




'193 patent at 21:52-53; 23:51-24:14; and 24:57-25:30 




'193 patent at 38:43-55 




'193 patent at 45: 19-26 




•193 patent at 45:39-45 




'193 patent at 46:4-8 1 




'193 patent at 52:66-53:8 j 




'193 patent at 53:13-22 | 




'193 patent at 53:33-37 




'193 patent at 53:45-59 




'193 patent at 54:51-58 




'193 patent at 55:21-56:24 




'3 93 patent at 57:33-39 j 




'393 patent at 58:59-64 




'193 patent at 59:39-42 




'193 patent at 60:37^8 




'193 patent at 62:27^2 




'193 patent at 63:32-39 




'193 patent at 64:49-51 J 




'193 patent at 65:9-14 j 




'193 patent at 67:3 1-52 




'193 patent at 68:65-69:12 




'193 patent at 74:51-53 




'193 patent at 75:23-28 j 




'J 93 patent at 75:65-76:32 




'193 patent at 81:26-32 




'193 patent at 83:53-63 




'193 patent at 90:1-28 




'193 patent at 90:39-46 




'193 patent at 9 1:26-51 




'193 patent at 96:1-7 




'193 patent at 96:12-26 




'193 patent at 98:66-99:3 




'193 patent at 99:28-35 




'193 patent at 301:54-102:52 




'193 patent at 104:29-37 




'193 patent at 105:25-39 j 




'193 patent at 115:13-21 




'193 patent at 115:25-29 




'193 patent at 123:51-55 j 




i^jpaxeniat jji.hjOz 




'193 patent at 135:16-24 




'193 patent at 135:31-42 j 




'193 patent at 153:53-156:47 




'193 patent at 160:65-162:65 




'193 patent at 170:42-172:13 




'193 patent at 172:61-177:53 j 




•193 patent at 178:49-179:55 I 
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4 193 patent at 214:59-67 


! 


l 193 patent at 218:33-220:19 




4 193 patent at 220:53-67 




4 3 93 patent at 222:4-11 


1 


'193 patent at 225:22-226:36 




4 193 patent at 227:25-45 




4 193 patent at 231:32-59 




'193 patent at 233:25-47 




4 193 patent at 234:36-43 


1 


4 193 patent at 234:64-235:1 




'193 patent at 235:13-38 




4 193 patent at 243:51-244:48 


I 


4 193 patent at 254:30-34 




4 193 patent at 254:59-65 




4 193 patent at 264:26-49 




f 193 patent at 266:51-267:45 




4 193 patent at 273:42-53 




4 193 patent at 277:9-17 




4 193 patent at 279:42-53 




4 193 patent at 282:11-28 


! 


4 393 patent at 282:45-61 




l 193 patent at 283:24-28 




4 193 patent at 283:56-284:43 




'193 patent at 288:43-60 




4 193 patent at 289:14-27 




4 193 patent at 290:30-62 




4 193 patent at 292:19-47 




4 193 patent at 313:33-41 




193 patent at 313:58-67 




1 93 patent at 3 1 5:24-28 




1 93 patent at 3 1 6: 1 -6 




4 1 93 patent at 3 1 6: 1 6-3 1 7: 1 9 




193 patent, Figs. 1, 1A, 2, 2 A, 3, 7, 8, 9, 9A, 10, 12, 13, 36, 19, 20,23,27,28, 30,31, 




35, 36, 37, 38, 41a, 41b, 43c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 




84, 85, 86, and 87 


j using saiu auLuOiizanon 


— ; ; — 

Patent Specifications 


UliUlilJaUUII lO gain aCCCSS TO OJ 


iyj patent at izo.oo-izy.zo 


1 maVp at Ipact nnp nc*» /~»^~ coir? ftT-ct 
J IIldKC at JCdM UiJC USC OI Sam IUSl 


iyj patent at i^+o.du- J*fy: / 


1 Hioital fil^ 


i y j paiem at i d i .o**- i jz.y 




j yj paient ai z i j.lh-dl 


| receiving a fust control from said 


Patent Specifications 


clearinghouse at said first device 


4 193 patent at 1:46-52 




4 193 patent at 1:60-2:3 




'393 patent at 3:26-29 




4 193 patent at 9:13-16 




4 193 patent at 32:5-9 




4 193 patent at 12:47-13:6 




4 193 patent at 13:54-14:28 




4 193 patent at 14:33-48 




4 193 patent at 16:25-40 




4 193 patent at 37:46-56 




4 193 patent at 18:10-14 




'193 patent at 3 8:60-64 
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'193 patent at 22:1-14 




4 193 patent at 21:52-53; 23:51-24:14; and 24:57-25:30 




4 193 patent at 38:43-55 




4 193 patent at 45:19-27 




4 193 patent at 45:39-45 




4 193 patent at 46:4-8 




4 193 patent at 52:66-53: 8 




4 193 patent at 53:12-22 




4 193 patent at 53:33-37 




4 193 patent at 53:45-59 




'193 patent at 54:51-58 




4 193 patent at 55:21-56:24 




4 193 patent at 57:33-39 




4 193 patent at 58:59-64 




4 193 patent at 59:39-42 




4 193 patent at 60:37-48 




4 193 patent at 62:27-42 




4 193 patent at 63:32-39 




4 193 patent at 64:48-51 




4 193 patent at 65:8-14 




'193 patent at 67:31-52 




4 193 patent at 68:65-69:12 




4 193 patent at 74:51-53 




4 193 patent at 75:23-28 




4 193 patent at 75:65-76:32 




4 193 patent at 81:26-32 




4 193 patent at 83:53-63 




4 193 patent at 90:1-28 




4 193 patent at 90:38-46 




4 193 patent at 91:26-51 




'193 patent at 96:1-7 




4 193 patent at 96:12-24 




'193 patent at 98:66-99:3 




'193 patent at 99:28-35 




4 193 patent at 101:54-102:51 




4 193 patent at 104:29-37 




l 193 patent at 105:23-39 




4 1 93 patent at 115:13-21 




4 193 patent at 115:25-29 




4 193 patent at 123:51-55 




4 193 patent at 131:45-52 




4 193 patent at 135:16-24 




'193 patent at 135:31-42 




4 193 patent at 153:53-156:47 




4 193 patent at 160:65-162:65 




4 193 patent at 170:42-172:13 




4 193 patent at 172:61-177:53 




4 193 patent at 178:49-179:55 




4 193 patent at 214:57-67 




4 193 patent at 218:31-220:19 




4 193 patent at 220:53-67 




4 193 patent at 222:4-11 




4 193 patent at 225:22-226:26 




4 193 patent at 227:25-45 




4 193 patent at 231:32-59 




4 193 patent at 233:25-47 




4 193 patent at 234:36-43 
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4 193 patent at 234:64-235:1 




'193 patent at 235:13-38 




'193 patent at 243:51-244:48 




'193 patent at 254:30-34 




4 193 patent at 254:59-65 




4 193 patent at 264:29-49 




4 193 patent at 266:51-267:45 




*193 patent at 273:42-53 




4 193 patent at 277:9-18 




4 193 patent at 279:42-53 




4 193 patent at 282:11-28 




4 193 patent at 282:45-61 




4 193 patent at 283:23-28 




4 193 patent at 283:56-284:42 




4 193 patent at 288:43-60 




4 193 patent at 289:14-27 




4 193 patenfat 290:30-62 




4 193 patent at 292:19-47 




' IP*} natpnt af 
i "J pdicni a l j J j i 




l 193 patent at 313:58-67 




'193 patent at 315:24-28 




4 IP*} natent at ^lfvl-fi 




4 193 patent at 316:16-317:19 




'193 patent, Figs. 1, 1A, 2, 2A, 3, 7, 8, 9, 9A, 10, 12,13, 16, 19, 20,21,27,28,30,31, 




35, 36, 37, 38, 41a, 41b, 41c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 




84, 85, 86, and 87 




See "Receiving a digital file" (193.1 1). 


storing said first digital file in a 


See "Storing said digital file" ( 4 193.1) 


memory of said first device 


— : ~r? 

using said first control to 


See "Determining whether said digital file may be copied and stored on a second 


determine whether said first 


device based on at least said copy control" ('193.3). 


digital file may be copied and 


stored on a second device 




if said first control allows at least 


Patent Specifications 


a portion of said first digital file to 


'193 patent at 48:28-35 


be copied and stored on a second 


4 193 patent at 102:26-40 


device 


4 193 patent at 263:46-264:57 




4 193 patent at 265:9-38 




'393 patent at 279:42-60 




'193 patent at 316:16-317:19 




See "If said first control allows at least a portion of said digital file to be copied and 




stored on a second device" ( 4 193.1 1). 


copying at least a portion of said 


See "Copying at least a portion of said digital file" ( 4 193.1). 


first digital file 


transferring at least a portion of 


Patent Specifications 


said first digital file to a second 


4 193 patent at 38:4-9 


device including a memory and an 


'193 patent at 65:24-38 


audio and/or video output 


'193 patent at 68:51-61 




4 193 patent at 72:1-9 




•193 patent at 162:10-15 




'193 patent at 167:41-43 
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'193 natent at 226-1 1-16 




•193 patent at 237:34-47 




* 193 natent at 252*51-58 




4 193 patent at 324:8-37 




4 193 patent at 325:32-40 




See 4 Transferring at least a portion of said digital file to a second device" (193.1); and 




"Storing information associated with said digital file in a secure database stored on 




said first device, said information including at least one control" (193.15) 


storing said first digital file 


See "Storing said digital file" ( 4 193.1) 


portion 




l 683:2 




the first secure container having 


Patent Snpcifiratinn^ 


been received from a second 


4 683 patent at 15:56-16:4 


apparatus 


*193 patent at 102:41-51 


an aspect of access to or use of 


Patent Specifications 




4 683 patent at 24:33-39 




4 683 patent at 25:62-26:10 




4 193 patent at 15:46-50 




4 193 patent at 58:38-46 




4 193 patent at 159:23-26 




4 193 patent at 128:42-45 


lilt J. Lien dCLulC vUIlullIlCI I U1C 


— — — — 

x atent specifications 


having been received from a third 


'683 patent at 24:33-39 


apparatus different from said 


4 683 patent at 25:62-67 


second apparatus 






4 193 patent at 15:46-50 




4 193 patent at 54:24-38 




4 193 patent at 58:38-46 




4 193 patent at 128:42-45 




4 193 patent at 159:23-26 




See "First secure container having been received from a second apparatus" (683.2). 


hardware or software used for 


i atcui opciinidiiuiis 


receiving and opening secure 


4 683 natent at 5 '3 0-1 8 


containers 


4 683 Datent at 6*52-56 




4 683 patent at 8:50-52 




4 683 patent at 10:12-15 




4 683 patent at 10:27-35 




4 683 natent at 10*55-1 1*14 




4 683 Datent at 1 1 40-52 




4 683 patent at 11:65-56 




4 683 patent at 11:59-64 




'683 patent at 12:27-51 




4 683 patent at 13:3-6 




4 683 patent at 13:15-17 




4 683 patent at 13:43-47 




4 683 patent at 14:10-14 




4 683 patent at 14:18-27 
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'683 patent at 14:58 




683 patent at 14:64-65 




683 patent at 15:35-45 




Do 3 patent at 1 5:56-16:4 




»*TOO _ A * _» l/.if 

683 patent at 16:25-28 




683 patent at lo:58-2U:66 




iiroi o/!.>nc 'ken/ 

683 patent at 24:46-25:26 




683 patent at 29:50-30:16 




«ZIOO a « _ a OA-OA If /4 1 

683 patent at 30:30-35:43 




'683 patent at 36:1-37:42 




'683 patent at 38:56-39:39 




683 patent at 39:66-43:20 




683 patent at 47:34-42 




683 patent at 49:31-39 




'683 patent at 61:7-11 




683 patent at 62 : 8-62 




'683 patent, Figs. 7, 8, 9, 9A, 9B, 10, 12, 13, 35, 36 




193 patent at 1:46-55 




'193 patent at 1:60-63 




'193 patent at 3:26-29 




'193 patent at 9:13-17 




'193 patent at 12:5-39 




'193 patent at 12:47-13:6 




4 193 patent at 13:54-14:28 




'193 patent at 14:31-48 




'193 patent at 16:25-40 




'193 patent at 17:46-56 




'193 patent at 18:10-14 




'193 patent at 18:60-64 




'193 patent at 22:1-14 




'193 patent at 21:52-53; 23:51-24:14; 24:57-25:30 




'193 patent at 38:46-55 




'193 patent at 45:19-27 




* 1 93 patent at 45:39-45 




'193 patent at 46:4-8 




193 patent at 52:66-53:8 




193 patent at 53:13-22 




193 patent at 53:33-37 




193 patent at 53:45-59 




1 93 patent at 54:5 1 -58 




19J patent at 55:21-56:24 




193 patent at 57:33-39 




iyj patent at 3o:j9-o4 




iyi patent at j9:39-42 




lyj patent at ou:3 /-4o 




*107 _« jCO.O*7 /tO 

1 y .5 patent at 62:2 /-4 2 




193 patent at 63:32-39 




J 93 patent at 64:48-51 




'193 natent af 6S-8-14 




'193 patent at 67:31-52 




'193 patent at 68:65-69:12 




'193 patent at 74:51-53 




'193 patent at 75:23-28 




'193 patent at 75:65-76:32 




'193 patent at 81:26-32 




'193 patent at 83:52-63 
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4 1 93 patent at 90: 1-28 ~ " 

4 193 patent at 90:38-46 
4 193 patent at 91:26-51 
4 193 patent at 96:1-7 
4 193 patent at 96:12-24 
4 193 patent at 98:66-99:3 
4 193 patent at 99:28-35 
4 193 patent at 101:54-102:5*1 
4 193 patent at 104:29-37 
4 193 patent at 105:23-39 
4 193 patent at 115:13-21 
4 193 patent at 115:25-29 
4 193 patent at 123:51-55 
4 193 patent at 135:31-42 
4 193 patent at 153:53-156:47 
4 193 patent at 161:7-162:65 
4 193 patent at 170:42-172:13 
4 193 patent at 172:61-177:53 
4 193 patent at 178:49-179:55 
4 193 patent at 214:57-67 
'193 patent at 218:31-219:19 
'193 patent at 220:53-67 
4 193 patent at 222:4-11 
4 193 patent at 225:22-226:36 
393 patent at 227:25-45 
4 193 patent at 231:32-59 
4 3 93 patent at 233:25-47 
4 193 patent at 234:36-43 
193 patent at 234:64-235:1 
4 193 patent at 235:14-38 
193 patent at 243:51-244:48 
193 patent at 254:30-34 
4 3 93 patent at 254:59-65 
4 193 patent at 264:29-49 
4 193 patent at 266:51-267:45 
4 193 patent at 273:42-53 
4 193 patent at 277:9-17 
4 193 patent at 279:42-53 
4 193 patent at 282:1 1-28 
4 193 patent at 282:45-61 
4 193 patent at 283:23-28 
4 193 patent at 283:56-284:42 
4 193 patent at 288:43-60 
4 193 patent at 289:14-27 
'193 patent at 290:30-62 
4 193 patent at 313:33-41 
4 193 patent at 313:58-67 
4 193 patent at 315:25-29 
4 193 patent at 316:1-6 
4 193 patent at 316:62-65 

'193 patent, Figs. 1, 1 A, 2, 2 A, 3, 7, 8, 9, 9A, 10, 12, 13, 16, 19, 20, 21, 27, 28, 30, 31, 
35, 36, 37, 38, 41a, 41b, 43c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 
84, 85, 86, and 87 



File Histories 



*683 File History, 11/12/99 Office Action, pp. 4-5 (citing USP 5,412,717); see also 
USP 5,412,717 at 4:45-62; 7:49-56; 8:7-24; and 9:64-66. 
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1 See Protected Processinp Environment and Ho^t Prnrp^Qino Pnvimnm«Tit 


1 said secure containers each 


| Patent Specifications 


including the capacity to contain a 


*683 patent at 15:56-16:4 


I governed item, a secure container 




1 rule beinp associated with each r»f 


said secure containers 


'193 natent at 19-1 




'191 natent at 7?-?fL?S 


- 


4 193 patent at 292:27-37 


protected processing environment 


j See Protected Processing Environment 


at least in part protecting 




information contained in said 




protected processing environment 




from tampering by a user of said 




j first apparatus 




1 hardware or software used for 


I Patent Specifications 


applying said first secure 


4 683 patent at 8:38-46 


container rule and a second secure 


4 683 patent at 11:40-52 


container rule in combination to at 


'683 patent at 31:55-56 


least in part govern at least one 


'683 patent at 11:59-64 


aspect of access to or use of a 


4 683 patent at 13:46^7 


governed item contained in a 


4 683 patent at 14:58 


secure container 


4 683 patent at 16:25-28 




'683 patent at 16:58-62 




'683 patent at 20:13-23 




4 683 patent at 24:26-33 




'683 patent at 25:62-26:10 




4 683 patent at 29:50-30:3 
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'683 patent at 31:28-55 




4 683 patent at 32:7-36 




4 683 patent at 32:59-33:37 




4 683 patent at 34:5-13 




'683 patent at 35:44-67 
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- 4 683 patent at 36:13-40 


i 


'683 patent at 37:14-42 




4 193 Datent at 19-ftt-?0*7 




'193 patent at 54:39-50 




'193 patent at 55:33-56 




4 193 patent at 149:24-45 




4 193 patent at 242-54-61 




'193 patent at 242:64-243:9 




'193 patent at 243:59-62 


* 


4 193 patent at 253*9-63 
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'683 File History, 1 1/12/99 Office Action, pp. 4-5 (citing USP 5,412,717 at 10:8-39 
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transmission of secure containers 
to other apparatuses or for the 
receipt of secure containers from 
other apparatuses. 



'683 patent at 5:30-40 
'683 patent at 6:52-56 
'683 patent at 8:50-52 
4 683 patent at 10:12-15 



'683 patent at 10:27-35 

'683 patent at 10:55-11:14 

'683 patent at 11:40-51 

'683 patent at 11:55-56 

'683 patent at 11:59-64 

4 683 patent at 12:27-51 

'683 patent at 13:3-6 

'683 patent at 13:14-16 

'683 patent at 13:43-47 

'683 patent at 14:11-22 

'683 patent at 14:58-60 
'683 patent at 14:64-65 
'683 patent at 15:16-17 
'683 patent at 15:26-27 
'683 patent at 15:35-45 
'683 patent at 15:56-16:4 
'683 patent at 16:25-28 
'683 patent at 16:58-20:51 
'683 patent at 24:46-25:26 
'683 patent at 29:50-30:16 
'683 patent at 30:30-35:43 
'683 patent at 36:1-37:42 
'683 patent at 38:56-39:39 
'683 patent at 39:65-43:20 
'683 patent at 47:34-42 
'683 patent at 49:33-39 
'683 patent at 61:7-11 
'683 patent at 62:9-62 

'683 patent, Figs. 7, 8, 9, 9A, 9B, 10, 12, 13, 35, 36 

'193 patent at 1:46-52 
'193 patent at 1:60-63 
'193 patent at 3:26-29 
'193 patent at 9:13-17 
'193 patent at 12:5-39 
'193 patent at 12:47-13:6 
'193 patent at 13:54-14:28 
'193 patent at 14:31-48 
'193 patent at 16:25-40 
'193 patent at 17:46-56 
'193 patent at 18:10-14 
'193 patent at 18:60-64 
'193 patent at 22:1-14 

'193 patent at 21:52-53; 23:51-24:14; 24:57-25:30 

'193 patent at 38:43-55 

'193 patent at 45:19-27 

'193 patent at 45:39-45 

'193 patent at 46:4-8 

'193 patent at 52:66-53:8 

'193 patent at 53:13-22 

«193 patent at 53:33-37 

'193 patent at 53:45-59 

'193 patent at 54:51-58 
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'193 patent at 57:33-39 




4 193 patent at 58:59-64 
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'193 patent at 60:37-48 
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'193 patent at 63:32-39 




4 193 patent at 64:48-51 
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4 193 patent at 67:31-52 




4 193 patent at 68:65-69:12 . 
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4 193 patent at 74:51-53 




4 193 patent at 75:23-28 




4 193 patent at 75:65-76:32 




4 193 patent at 81:26-32 




4 193 patent at 83:53-63 




4 1 93 patent at 90:1-28 j 




4 193 patent at 90:39-46 




4 193 patentat 91:26-51 




'193 patent at 96: 1-7 
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4 193 patent at 99:28-35 
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4 193 patent at 115:13-21 j 




4 193 patent at 115:25-29 
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4 193 patentat 123:51-55 j 




4 193 patentat 135:33-42 




4 193 patentat 153:53-156:47 




4 193 patentat 161:7-162:65 




4 193 patent at 170:42- 172: 13 




4 193 patentat 172:61-177:53 




4 193 patentat 178:49-179:55 




4 193 patent at 2 14:57-67 




4 193 patent at 2 18:3 1-220: 19 




4 193 patent at 220:53-67 
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4 193 patent at 222:4-11 




4 193 patent at 225:22-226:36 




4 193 patent at 227:25-45 




4 193 patent at 231:32-59 




4 193 patent at 233:25-47 | 




4 193 patent at 234:36-43 
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*193 patent at 235:14-38 
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1 


'193 patent at 254:30-34 
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*193 patent at 273:42-53 
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*193 patent at 283:56-284:42 
4 193 patent at 288:43-60 
4 193 patent at 289:14-27 
4 193 patent at 290:30-62 
4 193 patent at 313:33^1 
*193 patent at 313:58-67 
4 193 patent at 315:25-29 
4 193 patent at 316:1-6 
4 193 patent at 316:62-65 

4 193 patent, Figs. 1, 1A, 2, 2A, 3, 7, 8,9, 9 A, 10,12,13,16, 19,20,21,27,28, 30,31, 
35, 36, 37, 38, 41a, 41b, 41c, 41d, 67, 69, 69A, 70, 71, 74, 77, 78, 79, 80, 81, 82, 83, 
84, 85, 86, and 87 

File Histories 

4 683 File History, 1 1/12/99 Office Action, pp. 4-5 (citing USP 5,412,717); see also 
USP 5,412,717 at 1:18-24; 4:58-69. 

See Protected Processing Environment and Host Processing Environment 


'721:1 




digitally signing a first load 
module with a first digital 
signature designating the first load 
module for use by a first device 
class 


Patent Specifications 
4 721 patent at 4:61-5:5 
4 721 patent at 6:16-62 
4 721 patent at 7:66-8:6 
4 721 patent at 16:37-17:23 
4 721 patent at 18:19-39 
4 721 patent at 19:11-32 
4 721 patent at 20:1-4 


digitally signing a second load 
module with a second digital 
signature different from the first 
digital signature, the second 

UJglulI MJ^lXdLLUC Ucblgndllllg LUC 

second load module for use by a 
second device class having at least 
one of tamper resistance and 
security level different from the at 
least one of tamper resistance and 
security level of the first device 
class 


Patent Specifications 
4 721 patent at 4:61-5:9 
4 721 patent at 6: 16-64 
•721 patent at 7:62-8:6 
i z i paieni ai J o. j / - i / ,zj 
4 721 patent at 17:41-18:2 
•721 patent at 18:19-20:4 




distributing the fust load module i 
for use by at least one device in 
the first device class 


Patent Specifications 
•721 patent at 4:61 -5:5 
*721 patent at 6:16-62 
Ill patent at 7:66-8:6 
•721 patent at 16:37-17:23 
•721 patent at 18:3-38 
*721 Datent at 19*11-32 
•721 patent at 19:51-67 
4 721 patent at 20:1-4 
•721 patent at 20:58-21:7 




distributing the second load 
module for use by at least one 
device in the second device class 


Patent Specifications 

721 patent at 4:61-5:5 
l 721 patent at 6:16-62 
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1 Claim Term / Phrase 




1 device in the second device class 


'721 patent at 7:66-8:6 




721 natent at 1<v^7-17'73 




721 patent at 18:3-38 




'721 patent at 19:11-32 




'721 patent at 19:51-67 




4 721 patent at 20:1-4 




721 patent at 20:58-21:7 


'721:34 


— ; ■ — 

1 


1 arrangement within the first 


Patent Specifications 


tamper resistant barrier 


721 patent at 4:61-5:9 




721 patent at 6:5-7:7 




721 patent at 7:62-8:6 




721 patent at 16:37-37:23 




721 patent at 17:41-18:2 




721 patent at 18:19-39 




721 patent at 19:11-20:25 

j 


prevents the first secure execution 


Patent Specifications j 


space from executing the same 


721 patent at 4:61-5:9 


executable accessed by a second 


721 patent at 6:5-7:7 1 


1 ^pniri* PY#»nitiAn cnarp hav-ino a 

i oLtiu^ t-AtCUlJUlJ dL/aLC liu V iilH a 


paient at /.oz-o.o i 


1 second tamner resistant Han-ipr 


*771 Potont ot 1*7- 1 

12.1 raieni at io:j/-i 1.1$ 


1 with a second security level 


*771 natprtt at 17*41 1 
/ Z 1 paiCJjl al 1 / ,*t i - 1 O.Z j 


I different from the firct senrritv 


'771 Patent at 1ft- 10 30 ! 


level 


*771 rkat#»nt at 10-11 *>n-0*\ I 

12.1 patent at jy.i i-zu.zj * 


'861-58 


— . 


j ujcdiuig a ixtm secure container 


Patent Specifications 




'861 patent at 3:3-4 




'861 patent at 3:39-43 




ooi patent at oiZy-3J. 




001 patent at 1U:/-IU 




ooi patent at ll:45-jo | 




ooi patent at 16:32-35 





See Secure Container * I 


I including or addressing . . . 


Patent Specifications 


organization information . . . 


'861 patent at 5:57-6:7 j 


desired organization of a content 


'861 patent at 10:38-53 


section. . . and metadata 


'861 patent at 14:14-29 


information at least in part 


'861 patent at 15:21-31 


specifying at least one step 


'861 patent at 17:49-53 I 


required or desired in creation of 


I said first secure container 




j at least in part determine specific 


Patent Specifications 1 


i uuvi mm ion requireo 10 oe 


'861 patent at 10:49-61 


included in said first secure 


'861 patent at 15:21-31 j 


container contents 


'861 patent at 28:26-28 




'193 patent at 69:66-70:1 




'193 patent at 71:19-20 




l 193 patent at 230:30-34 | 
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Claim Term / Phrase 


InterTrust Evidence 






rule designed to control at least 


Patent Specifications 


one aspect of access to or use of at 


"861 patent at 15:21-31 


least a portion of said first secure 


'861 patent at 17:49-53 


container contents 




'891:1 




1 rpcnnrrp t>ttw*pcq^H in a c^f*itr#* 


T*of Ant Qnofffi/^ot innc 


1 rwiprutino ^TWirr»nmf*Tit at n frrct 

Upvlolilig CUV il LHJllJfcill dl O J.U51 


*1Q^ nat^nt at RVd/l . A R 
iyj palClil at OJ.f *+"*rO 






_ — 


occ r joiecica f roccssmg cnviroiuncni 


j securely receiving a first entity s 


— « o ' — ." — 11 ... -,i . .... . 

Patent Specifications 


1 control at said first appliance 


iy3 patent at 5.0204 




iy3 patent at _> / .z/oo 1 




\yi patent at 00.3 /-4o 




jy3 patent at o2.32-3y 




iyj patent at o/:2I-52 ( 




iy3 patent at oo:o5-oy: 12 




1V3 patent at /5:o5-/o:I 




iy3 patent at /o:iU-iz 




lyj patent at //:3U-44 




jyj patent at o 1.20-32 




193 patent at 83:53-64:7 




iy3 patent at 9 1:35-51 




I 93 patent at 96: j -6 




193 patent at yo: 12- j 7 i 




1^3 patent at 101:54-102:25 




1 y 3 patent at 1 02 :4 1 -5 1 




iy3 patent at 104:29-37 


j 


1 93 patent at 1 1 o:64- 1 1 9:43 




iyi patent at 




iyj patent at izi.MOo 




4 1 Ol n 1ff.fi 1 C/C.1 

iy3 patent at jj5.51-I5o:2 


j 


1 y 3 patent at 1 ou: oo- 1 o 1 :5 1 




iy3 patent at io2:3y-lo3:35 




iy3 patent at 2Uv.oo-2Ul:42 




'1 not Ant ot *>1 1-70 OlO-in 

i y3 patent at 2 i i .3y-2 j 2. j u 




4 193 patent at 214:59-67 




4 193 patent at 2 18:3 1-220: 19 




l 193 patent at 225:50-226:36 




'193 patent at 227:25-228:30 




nat#»nt sit '?^-95-'} c » 
I y J JJalGIll al ZJJ.ZJ'JJ 




4 193 patent at 282:56-61 




'193 patent at 283:61-65 


| 


'193 patent at 290:46-62 


! 


'891 patent at 322:56-63 




See "Securely Receiving"; and "Receiving a first control from said clearinghouse at 




said first device" (193.19) 


j securely receiving a second 


See "Securely receiving a first entity's control at said first appliance" (891.1) 


entity's control at said first 


appliance 




securely processing a data item at 


See "Resource processed in a secure operating environment at a first appliance" 
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Claim Term / Phrase 


InterTrust Evidence 


said first appliance, using at least 
one resource 


(891.1); and "Securely Processing" 


securely applying, at said first 
appliance through use of said at 
least one resource said first 
entity's control and said second 
entity's control to govern use of 
said data item 


Patent Specifications 
4 891 patent at 322:16-18 

See "Resource processed in a secure operating environment at a first appliance" 
(891.1 ); and "Securely Applying" 


'900:155 




first host processing environment 
comprising 


See Host Processing Environment 


UwolgllCU l\J UC JUoUCU 1UIU 2>alU 

main memory and executed by 
said central processing unit 


r dicDi opeciijcaiions 
'900 patent at 82:12-23 


CfllH tprrrrv^x r#*cictant crtfihn/or^ 
CxllU LailJjJCJ JCbJi>UHJl bUllWoiC 

comprising: . . . one or more 
storage locations storing said 
information 


Patent Specifications 
'900 patent at 239:50-53 


derives information from one or 
more aspects of said host 
processing environment, 


Patent Specifications 

4 900 patent at 239:4-42 


one or more storage locations 
storing said information 


Patent Specifications 
'900 patent at 239:4-21 
'900 patent at 239:50-60 
'900 patent, Fig. 69C 
'900 patent, Fig. 69G 


information previously stored in 
said one or more storage locations 


Patent Specifications 
'900 patent at 239:15-55 
'900 patent at 240:31-34 


generates an indication based on 
the result of said comparison 


Patent Specifications 
'900 patent at 239:56-64 
'900 patent at 243:32-41 


programming which takes one or 
more actions based on the state of 
said indication 


Patent Specifications 
'900 patent at 239:56-64 
'900 patent at 242:52-67 
'900 patent at 243:32-41 
'900 patent at 243:65-244:2 
'900 patent at 244:33-39 
'900 patent at 247:50-57 


at least temporarily halting further 
processing 

- 


Patent Specifications 

'900 natent at 
'900 patent at 242:52-67 
'900 patent at 243:32-41 
'900 patent at 243:65-244:2 
'900 patent at 244:33-39 
'900 patent at 247:50-57 
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Claim Term / Phrase 


InterTrust Evidence 


'912:8 




identifying at least one aspect of 
an execution space required for 
use and/or execution of the load 
module 


Patent Specifications 
'193 patent at 140:15-46 


said execution space identifier 
provides the capability for 
distinguishing between execution 
spaces providing a higher level of 
security and execution spaces 
providing a lower level of security 


Patent Specifications 
'193 patent at 140:15-46 

'912 patent at 327:59-61 
'912 patent at 327:64-66 


checking said record for validity 
prior to performing said executing 
step 


Patent Specifications 
'193 patent at 1 12:46-1 13:2 

File Histories 

'912 File History, 9/22/98 Office Action, pp. 2-3. 


'91235 




received in a secure container 


Patent Specifications 
'193 patent at 58:48-58 


said component assembly 
allowing access to or use of 
specified information 


Patent Specifications 
'193 patent at 69:66-70:1 
'193 patent at 71:19-20 
'193 patent at 83:53-84:16 
'193 patent at 159:61-160:8 
'193 patent at 230:30-34 

Extrinsic Sources 

The American Heritage Dictionary, 3d ed. (Houghton Mifflin, 1992) ("information") 

'193 patent at 69:66-70:1 
'193 patent at 71:19-20 
' 193 patent at 230:30-34 


said fust component assembly 
specified by said first record 


See "Said component assembly allowing access to or use of specified information" 
(91235) 




Evidence Relevant to Numerous Disputed Claim Terms and Phrases 




Refreshing a budget 


Patent Specifications 
'193 patent at 131:10-13 
'193 patent at 162:39-65 
'193 patent at 173:21-174:14 


Absolute protection 


Patent Specifications 

'193 patent at 16:25-28 
'193 patent at 35:59-63 
'393 patent at 38:4-12 
'193 patent at 49:59-62 
'193 patent at 80:65-81:8 
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Claim Term / Phrase 


InterTrust Evidence 




'193 patent at 199:38-46 
'193 patent at 22 3:2-6 
'193 patent at 222:49-53 
'193 patent at 223:4-10 

'721 patent at 2 1:9-24 
4 721 patent at 24:48-56 

Citations from Sources Designated bv Microsoft under PLR 4-2rt>) 


Landwehr, Formal Models for Computer Security, ACM Computer Surveys (Sept 3 
1981), p. 253. 1 

Computer Security Handbook, 2d ed. (Macnullan, 1988), pp. 75, 201, 218, 292-93 

Hoffman, Modern Methods for Computer Security and Privacy (Prentice-Hall 1977) 
p. 170. ' 

Gartuikel et al., Practical Unix Security (O'Reilly & Associates, 1991), pp. 12-13. 

Neumann, Computer Related Risks (ACM Press, 1995), p. 2. 


Alternative control structures 


Patent Specifications 
'193 patent at 28:29-37 
'193 patent at 30:42-3 3:7 
'193 patent at 3 1:29-56 
'193 patent at 48:15-35 
'193 patent at 306:30-65 
'193 patent at 308:29-42 
'193 patent at 308:48-65 
'193 patent at 312:1 1-31 


Digital file versus a copy 


Patent Specifications 
'193 patent at 162:10-15 
'193 patent at 226:11-16 
'193 patent at 278:1 1-23 
'193 patent at 3 16: 16-37 
'193 patent at 324:8-37 
'193 patent at 325:32-40 


Host Processing Environments 
and Secure Processing 
Environments 


Patent Specifications 
'193 patent at 13:7-14 
4 193 patent at 79:24-80:21 
'193 patent at 80:65-81:8 
'193 patent at 278:46-65 

'683 patent at 29:51-30:3 

'721 patent at 3:1 6-21 
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EXHIBIT D 

PLR 4-3(b) -Microsoft's Listing of Intrinsic and Extrinsic Evidence 



Each claim phrase incorporates the Intrinsic and Extrinsic support of the individual terms within it 



Claim Term 


MS Construction 


access, accessed, 
access to, 
accessing 

193.15, 193.19, 
912.8,912.35, 
861.58, 683.2, 
721.34 


Intrinsic: 

-These rights govern use of the VDE object 300 by that user or user group. For instance, the user 
may have an "access" right, and an "extraction" right, but not a "copy" right" ('193 159:32)* 

- ('193 82:27-45); (M 93 1 09:53-57); (' 193 118:17-31); (193 139:60-140:6); ( l 193 148:55-58); ('193 
183:12-29); ( 4 193 188:59-67); ('193 192:2-24) 

Extrinsic: 2 

Access (n): 2. The use of an access method 3. The manner in which files or data sets are referred to by 
the computer. 5. In computer security, a specific type of interaction between a subject and an object 
that results in the flow of information from one to the other. (IBM) 3 

Access (n.): 1 . In access control, a specific type of interaction between a subject and an object that 
results in the flow of information from on to the other 3. In computing, the manner in which files or 
data sets are referred to by a computer (Longley) 4 

Access(ing) (v.): 1. To obtain the use of a computer resource. 4. To obtain data from or to put data in 
storage. (IBM) 


addressing 
861.58 


Intrinsic: 

"Load modules 1 100 in the preferred embodiment are modular and "code pure" so that individual load 
modules may be reenterable and reusable. In order for components 690 to be dynamically updatable, 
they may be individually addressable within a global public name space." ('193 86:49-53) 

Extrinsic: 

Addressing (v): 1 . A character or group of characters that identifies a register, a particular part of 
storage, or some other data source or destination. 4. A name, label, or number identifying a location in 
storage, a device in a system or network, or any other data source. 5. In data communication, the 
unique code assigned to each device or workstation connected to a network.(IBM) 

Addressing (n.): 1 . In computing, a character or group of characters that identifies a register, a 
particular part of storage, or some other data source or destination 2. In computing, to refer to a device 
or an item of data by its address. (Longley) 

Addressing (v): 1 . In computing, the assignment of addresses to the instructions of a program 

2. In communications, the means whereby the originator or control station selects the unit to which it is 

going to send a message (Longley) 


allowing, allows 

912.35, 193.1, 
193.11, 193.15, 
193.19 


Intrinsic: 

- SN 08/780,545 ('912): 10/29/98 amendment to claim 21 1 (issued claim 35) "necessary in order to 
gain" to "allowing" 

- VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in authorized 
ways, and (c) allow information regarding content usage to be used only in ways approved by content 
users." ('193 4:51-56) 



1 Citations to the '193 Patent are representative of citations to the text and drawings of the "Big Book" application also 
published in the '891, '900, and '912 Patents. Emphasis is added unless otherwise noted. 
Extrinsic evidence is cited herein without waiver of any kind, including relevance or probative value. 

3 "IBM" herein refers to IBM Dictionary of Computing, 10 th ed., 1983. 

4 "Longley" herein refers to Longley, D., et al, Information Security: Dictionary of Concepts, Standards, and Terms, 3992 
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Claim Term 


MS Construction 




- VDE is a secure system for regulating electronic conduct and commerce. Regulation is ensured by 
control information DUt in nla.ce bv one or more nartie^ /'1 93 6"3'?-^41 

- VDE ensures that certain prerequisites necessary for a given transaction to occur are met (* 1 93 
20:27-28) 

- ('193 309:10-16); 0193 15:41-46); ('193 17:22-28); 0193 303:67-304:1) 
Extrinsic- 
Least privilege: Each user and each program should operate using the fewest privileges possible. In 
this way, the damage from an inadvertent or malicious attack is minimized. (Pfieeger) 5 


arrangement 
721.34 


See also phrases of use in 72 1 .34. 
Intrinsic: 

An important part of VDE provided by the present invention is the core secure transaction control 
arrangement, herein caUed an SPU (or SPUs), that typically must be present in each user's computer, 
other electronic appliance, or network, f 193 48:66) 


aspect 

900.155,912.8, 
861.58, 683.2 


See also phrases of use in 900.155, 912.8, 861.58, 6832. 
Extrinsic: 

Aspect: The qualification of a descriptor. (IBM) 


associated with 

912.8, 193.1, 
193.11, 193.15, 
683.2 


Intrinsic: 

- "VDEF load modules, associated data, and methods form a body of information that for the purposes 
of the present invention are called "control information." VDEF control information may be specifically 
associated with one or more pieces of electronic content and/or it may be employed as a general 
component of the operating system capabilities of a VDE installation." (* 193 18:36-42) 

- rt As mentioned above, virtual distribution environment 100 "associates" content with corresponding 
"rules and controls," and prevents the content from being used or accessed unless a set of corresponding 
"rules and controls" is available." (' 1 93 57: 1 8-22) 

- "This "lookup" mechanism permits electronic appliance 600 to associate, in a secure way, VDE 
objects 300 with PERCs 808, methods 1000 and load modules 1100." ('193 153:35-38) 

- 0193 55:39-45); 0193 142:50-52); ('193 57:30-33); 0861 1:50-53) 
Extrinsic: 

Association: In the Open Systems Interconnection reference model, a cooperative relationship between 
two peer entities, supported by the exchange of protocol control information using the services of the 
next lower layer. (IBM) 


authentication 


Intrinsic: 

- A certification key pair may be used as part of a "certification" process for PPEs 650 and VDE 
electronic appliances 600. This certification process in the preferred embodiment may be used to permit 
a VDE electronic appliance to present one or more "certificates" authenticating that it (or its key) can be 
trusted. As described above, this "certification" process may be used by one PPE 650 to "certify" that it 
is an authentic VDE PPE, it has a certain level of security and capability set (e.g., it is hardware based 
rather than merely software based), etc. (M93 232:66-213:15) 

- "One of the functions SPU 500 may perform is to validate/authenticate VDE objects 300 and other 
items. Validation/authentication often involves comparing long data strings to determine whether they 
compare in a predetermined way." 0 1 93 67:56-60) 



Tfleeger" herein refers to Pfieeger, Security in Computing (1989). 
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- ('683 17:20-27); ('683 52:56-60); (M93 112:46-61) 
Extrinsic: 

Authentication: 1. In computer security, verification of the identity of a user or the user's eligibility to 
access an object. 2. In computer security, verification that a message has not been altered or corrupted. 
3. In computer security, a process used to verify the user of an information system or protected 
resources. 4. A process that checks the integrity of an entity. (IBM) 

Authentication: 1 . In data security, the act of determining that a message has not been changed since 
leaving its point of origin. 4. In computer security, the act of identifying or verifying the eligibility of 
a station, originator, or individual to access specific categories of information (LongJey) 


authorization 
information, 
authorized, not 
authorized 

193.15, 193.19 


Intrinsic: 

- See "allow." 

Several independent comparisons may be used to ensure there has been no unauthorized substitution. 
For example, the public and private copies of the element ID may be compared to ensure that they are 
the same, thereby preventing gross substitution of elements. In addition, a validation/correlation tag 
stored under the encrypted layer of the loadable element may be compared to make sure it matches one 
or more tags provided by a requesting process. This prevents unauthorized use of information (* 193 
87:47-55) 

"using said authorization information to gain access to or make at least one use of said first digital file" 
CI 93 Claim 19) 

Extrinsic: 

Authorization: 1 In computer security, the right granted to a user to communicate with or make use of a 
computer system. 2. An access right. 3. The process of granting a user either complete or restricted 
access to an object, resource, or function. (IBM) 

Authorization: (1) In access control, the granting to a user, a program, or a process the right of access. 
(2) In operations, the right given to a user to communicate with or make use of a computer system or 
stored data. 3. The privilege granted to an individual by a designated officiaJ to access information 
based upon the individual's clearance and need-to-know. (Longley) 

Authorization: "A system control feature that requires specific approval before the processing can take 
place." (Webster's New World Dictionary of Computer Terms, 4* ed., 1 992) 


budget control; 
budget 

193.1 


Intrinsic: 

- ""Budgets" 308 shown in FIG. 5B are a special type of "method" 1 000 that may specify, among 
other things, limitations on usage of information content 304, and how usage will be paid for. Budgets 
308 can specify, for example, how much of the total information content 304 can be used and/or 
copied. The methods 310 may prevent use of more than the amount specified by a specific budget " 
093 59:19-25) (See also Fig. 5B) 

- "For example, consider the case of a security budget. One form of a typical budget might limit the 
user to 10Mb of decrypted data per month." (' 1 93 265:9- 1 1) 

- "An example of the process steps used for the move of a budget record might look something like 
this: 1) Check the move budget (e.g., to determine the number of moves allowed) (* 1 93 265:24-27) 

- "BUDGET method 408 may store budget information in a budget DDE" (* 1 93 1 82:25-26) 

- "In the preferred embodiment, a "method" 1000 is a collection of basic instructions, and information 
related to basic instructions, that provides context, data, requirements and/or relationships for use in 
performing, and/or preparing a perform, basic instructions in relation to the operation of one or more 
electronic appliances 600." ('193 85:43-48; repeated essentially at ' 193 136:20-25) 

• BUDGET method 408 may result in a "budget remaining" field in a budget UDE being decremented 
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by an amount specified by BILLING method 406. (M93 1 8222-30) 

- ('193 58:27-34); ('193 187:48-50); ( 4 193 235:39-42); ( l 193 143:63 - 144:14); (M93 265:44-51) 
Extrinsic: 

Budget A budget is the control mechanism for a meterable feature. A budget provides an upper limit 
for the vohimeofameterable feature that a user (client) may use. Budgets consist of two values: a 
ceiling limit on use and an increment value mat is added to the associated meter when a meterable event 
occurs. Budgets may be stand-alone or cascaded A stand-alone budget only increments the meters for 
itself while a cascaded budget can increment many meters from a single meterable event A budget 
consists of an identification sextet, a descriptive area that describes the budget (cascade budget tuple 
and other miscellaneous flags), and a series of budget tuples. Each budget tuple consists of a budget 
and the increment value. It should be noted that a budget may be specified in meterable events or in 
dollars, based on the type of meter the budget will be compared against. (VDE ROI Device vl .0a, 9 
Feb 1994, IT00008582) 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions. (IBM) 

Budget Object: A governed element that defines the consumer's ability to provide payment using a 
specific payment type. ((1TG, 1997-1998, ML00012B) 6 

Budget Object: An InierTrust system object that defines the consumer's ability to provide payment 
using a specific payment type, ((emphasis added) IT System Developers Kit, 1997, TDO0298C) 

Budget A control mechanism that limits operations on content based on billed amounts that can 
maintain a budget trail. A budget may be financially based (e.g., a number of dollars available for 
purchasing content use) or abstract (e.g. a total number of permitted usages). VTG, 3/7/95, 
IT00709617) 

Budget *A fixed quantity of money, time, etc. against which the cost of operation is charged. Budget 
activities usually also involve reporting- ((ITG, 8/21/95, IT0032371) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node. ((ITG, 5/12/95, IT00028293) 

Control: A business rule that governs the use of content ((ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element The term control can apply 
to either a control program or a control set ((ITG, 1997-2000, ML00012D) 

Control: * Control Element. A data structure that givems (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). 'Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. 'Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter, a creator using that 
mechanism could alter the parameter but not change the mechanism itself. ((ITG, 3/7/1 995, 
1T0070961 8, see footnote 2) 


can be 
193.1 


Intrinsic: 

VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in authorized 
ways and (c) allow information regarding content usage to be used only in ways approved by content 



6 "(ITG" herein is a generic reference to several InterTrust glossaries that are further identified by Bates number or IT 
document number. 
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users." ('193 4:51-56) 

- VDE is a secure system for regulating electronic conduct and commerce. Regulation is ensured by 
control information put in place by one or more parties. (*193 6:33-35) 

- It also employs a software object architecture for VDE content containers that carries protected 
content and may also carry both freely available information (e.g, summary, table of contents) and 
secured content control information which ensures the performance of control information, (* 193 
15:41-46) 

- Because of the breadth of issues resolved by the present invention, it can provide the emerging 
"electronic highway" with a single transaction/distribution control system that can, for a very broad 
range of commercial and data security models, ensure against unauthorized use of confidential and/or 
proprietary information and commercial electronic transactions. ('193 17:22-28) 

- VDE ensures that certain prerequisites necessary for a given transaction to occur are met. (* 1 93 
20:27-28) 

- "support "launchable" content, that is content that can be provided by a content provider to an end- 
user, who can then copy or pass along the content to other end-user parties without retiring the direct 
participation of a content provider to register and/or otherwise initialize the content for use." ('193 
24:57-62) 

- "For example, budget process 408 may limit the number of times content may be accessed or 
copied, or it may limit the number of pages or other amount of content that can be used based on, for 
example, the number of dollars available in a credit account" ('193 58:28-32) 

- "Budgets 308 can specify, for example, how much of the total information content 304 can be used 
and/or copied. The methods 310 may prevent use of more than the amount specified by a specific 
budget." ('193 59:22-25) 

- "As an alternative example, a creator may allow moving of usage rights by a distributor to half a 
dozen subdistributors, each of whom can distribute 1 0,000 copies, but with no redistribution rights 
being allowed to be allocated to subdistributors' (redistributors*) customers. ... Content providers and 
other contributors of control information have the ability through the use of permissions records and/or 
component assemblies to control rights other users are authorized to delegate in the permissions records 
they send to those users, so long as such right to control one, some, or all such rights of other users is 
either permitted or restricted (depending on the control information distribution model)." ('193 269:34- 
49) 

"In such systems, because document content can be freely copied and manipulated, it is not possible to 
determine where document content has gone, or where it came from." ('193 28 1 :33-36) 


capacity 
683.2 


Intrinsic: 

"Some items may be too large to store within container 302." ('193 58:54-55) 

('193 243:23-244:48) 

Extrinsic: 

Capacity: See channel capacity, storage capacity .(IBM) 

Channel Capacity: The measure of the ability of a given channel subject to specific constraints to 
transmit messages from a specified message source expressed as either the maximum possible mean 
transinforraation content per character or the maximum possible average transinformation rate, which 
can be achieved with an arbitrary small probability of errors by use of an appropriate code. (IBM) 

Storage capacity: The amount of data that can be contained in a storage device measured in binary 
characters, bytes, words, or other units. For registers, the term "register length" is used with the same 
meaning. Synonymous with storage size. (IBM) 


clearinghouse 


Intrinsic: 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 5 of 100 



Claim Term 


MS Construction 


193.19 


- "Distribution involves three types of entity. Creators usually are the source of distribution. They i 
typically set the control structure "context" and can control the rights which are passed into a 
distribution network. Distributors arc users who form a link between object (content) end users and 
object (content) creators. They can provide a two-way conduit for rights and audit data. Clearinghouses 
may provide independent financial services, such as credit and/or billing services, and can serve as 
distributors and/or creators. Through a permissions and budgeting process, these parries collectively can 
establish fine control over the type and extent of rights usage and/or auditing activities." ('193 267:34- 
45) 

- "Payment credit or currency may then be automatically communicated in protected (at least in part 
encrypted) form through telecommunication of a VDE container to an appropriate party such as a 
clearinghouse, provider of original property content or appliance, or an agent for such provider (other 
than a clearinghouse)." (' 1 93 36:64-37:3) 

"if appropriate credit (e.g. an electronic clearinghouse account from a clearinghouse such as VISA or 
AT &T) is available" (' 1 93 25:22-24) 

Extrinsic: 

Clearinghouse: * A facility that receives reports of content use and in turn reports payments and usage 
to content creators and distributors. (TTG, 8/21/95, IT00032372, TD00068B) 


compares, 
comparison 

900.155 


Intrinsic: 

"ROS 602 also provides a tagging and sequencing scheme that may be used within the loadable 
component assemblies 690 to detect tampering by substitution. Each element comprising a component 
assembly 690 may be loaded into an SPU 500, decrypted using encrypt/decrypt engine 522, and then 
tested/compared to ensure that the proper element has been loaded. Several independent comparisons 
may be used to ensure there has been no unauthorized substitution. For example, the public and private 
copies of the element ID may be compared to ensure that they are the same, thereby preventing gross 
substitution of elements." ('193 87:41-51) 

Extrinsic: 

Compare: I . To examine two items to discover their relative magnitudes, their relative positions in an 
order or in a sequence, or whether they are identical in given characteristics. 2. To examine two or 
more items for identity, similarity, equality, relative magnitude, or order in a sequence.(IBM) 

Comparison: The process of examining two or more items for identity, similarity, equality, relative 
magnitude, or for order in sequence. (IBM) 


component 
assembly 

912.8,912.35 


Intrinsic: 

"Many such load modules are inherently configurable, aggregatable, portable, and extensible and 
singularly, or in combination (along with associated data), run as control methods under the VDE 
transaction operating environment." ('193 25:48-52) 

- ('193 77:12-27); ('193 83:1 1-22); (' 193 181 :20-21); (' 193 272:29-36) 

"Components 690 are preferably designed to be easily separable and individually loadable. ROS 
602 assembles these elements together into an executable component assembly 690 prior to loading 
and executing the component assembly (e.g., in a secure operating environment such as SPE 503 
and/or HPE 655)." ('193 83:43-48) 

- ('193 83:23); ('193 85:21-29 see '193 170:2-4); ('193 86:51-52); ('193 87:41-62); ('193 109:24- 
45); ('193 115:65-116:4); ('193 1 16:30-34); ('393 185:42-46) 

Extrinsic: 

Component: 1 . Hardware or software that is part of a functional unit. 2. A functional part of an 
operating system. 3. A set of modules that performs a major function within a system. (IBM) 

Component: In data communications, a device or set of devices, consisting of hardware, along with its 
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firmware, and or software that performs a specific function on a computer communications network. A 
Component is a part of a larger system, and may itself consist of other components. (Longley) 

"Thus, PERC 808 in effect contains a "list of assembly instructions" or a "plan" specifying what 
elements ROS 602 is to assemble together into a component assembly and how the elements are to be 
connected together. PERC 808 may itself contain data or other elements that are to become part of the 
component assembly 690." ( 4 193 8530-39) 


contain, 

contained, 

containing 

683.2, 912.8, 
912J5 


Intrinsic: 

"Container 300y may contain and/or reference rules and control information 300y(l ) that specify 
the manner in which searching and routing information use and any changes may be paid for." (' 1 93 
241:36-39) 

"Each logical object structure 800 may also include a "private body" 806 containing or referencing 
a set of methods 1000 (i.e., programs or procedures) that control use and distribution of the object 
300." (*1 93 128:25-28) 

- "Therefore, stationary object structure 850 does not contain a permissions record (PERC) 808; 
rather, this permissions record is supplied and/or delivered separately (e.g., at a different time, over a 
different path, and/or by a different party) to the appliance/installation 600. (M 93 1 30: 1 8-22) 

"The content portion of a logical object may be organized as information contained in, not 
contained in, or partially contained in one or more objects.* 1 (' 193 127:8-19) 

"Therefore, stationary object structure 850 does not contain a permissions record (PERC) 808; 
rather, this permissions record is supplied and/or delivered separately (e.g., at a different time, over a 
different path, and/or by a different party)" (' 1 93 1 3 0: 1 8) 

- (M93 58:49-58); ('193 86:47^8); ('193 87:3-6); ( 4 193 130:63-64); ('193 136:32-34); ('193 
241:36-39); ('683 54:29-37) 

See also prior art referred to the relevant InterTrust patent file histories, e.g. U.S. Patent 5,71 5,403 
Extrinsic: 

"Container A contains protected content, which is divided into one or more atomic elements, and, 
optionally, PERCs governing the content and may be manipulated only as specified by a PERC. " (1TG, 
4/6/95, IT00028206, see footnote 2 and 4) 

"Container. A packaging mechanism, consisting of: *One or more Element-derived components. * An 
organization mechanism which provides a unique name within a flat namespace for each of the 
components in a Container." (TTG, 5/12/95, IT00028293) 

"Container A protected digital information storage and transport mechanism for packaging content 
and control information." (ITG, 8/21/95, IT00032372, TD00068B) 

Container A collection of content and control-related information. (IT VDE Container Overview, 
2/10/95, IT00051228, ETM-9999 Version 0.21) 

Contain: In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley, Information Security dictionary of Concepts, 
Standards, and Terms (1992) 

USP 5,369,702 

Que s Computer Programmers Dictionary ( vue ) { A dynamic aaia structure, me eicmcnu> 01 wnicn 
are arbitrary data items whose type is not known when the program is written." 

Dictionary of Computer Science Engineering and Technology (2001) ("Abstract data type storing a 
collection of objects (elements)") 

ITO0037-M, IT002734-39, IT004188-96, IT003 1572-85, IN00075960, JT00703055-71, IT0052146-64, 
IN0044 1 1 89-224, IN0075983-87 

See also Microsoft PLR 4-2 Exhs. E & Fas revised, and InterTrust's Rule 30(b)(6) testimony. 
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control (n.) 

193.1,193.11, 
193.15, 193.19, 
891.1 


Intrinsic: 

"Claims ... are allowable over the prior art of record. The instant claims provide for first and 
second entity or control or procedure or executable code that are separately, remotely and different 
from each to combine or process or execute an operation or procedure based on at least first and 
second control or procedure or executable code in an electronic appliance or secure operating 
environment or third party different and remote from the first and second entity or control or procedure 
or executable code." 08/964,333 ( 4 891), Office Action, 09/22/98, p. 3 (MS1028945) 

"The virtual distribution environment 100 prevents use of protected information except as 
permitted by the "rules and controls" (control information)/ Q\93 56:26} 

"As mentioned above, virtual distribution environment 100 "associates" content with 
corresponding "rules and controls," and prevents the content from being used or accessed unless a set 
of corresponding "rules and controls" is available." (*193 57:18-22) 

- "at least one rule and/or control associated with the software agent that governs the agent's 
operation." (' 193 241:2-3) 

"In this example control information may include one or more component assemblies that describe 
the articles within such a container (e.g. one or more event methods referencing map tables and/or 
algorithms that describe the extent of each article)." ('193 309:5-9) 

- ""Even if a consumer has a copy of a video program, she cannot watch or copy the program unless 
she has "rules and controls'* that authorize use of the program. She can use the program only as 
permitted by the "rules and controls." ( 4 193 53:60-63) 

- "A control set 914 contains a list of required methods that must be used to exercise a specific right 
(i.e., process events associated with a right)." ( 4 193 151:14-16) 

- "If necessary, trusted go-between 4700 may obtain and register any methods, rules and/or controls it 
needs to use or manipulate the object 300 and/or its contents (FIG. 122 block 4778)." (*683, sheet 188) 

See also prior art referred to the relevant InterTrust patent file histories. 

MSI026598-602, 26626-7, 26630-42; MSI 028808-1 1, 28846-52, 28728-62, 28857-58, 28944-97, 
28953-56 

Extrinsic: 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions. (IBM) 

"5. Control Notes ... A Control must execute as a transaction ... A Control may require pre-conditions 

- that is that one or more other Controls have been executed before the Control is executed. [] 7. 
Control Execution Flow The following pseudocode describes the approximate execution sequence for a 
View Control Q 8. Operation of a Control (Execution of "Rules and Consequences") . . (VDE 
Controls Notes, IT0005 1953-55) 

Control: A business rule that governs the use of content. (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element The term control can apply 
to either a control program or a control set. (ITG, 1997-2000, ML00012D) 

Control: * Control Element. A data structure that giverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). * Control mechanism: One of the 

m0/>kinirmc that mntrnk anrf nprfnrm t onpraf ion*; nn a VT")P nhiprt p mptpr hill Hudpet^ A control 

mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. * Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter, a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/1 995, 
IT0070961 8, see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
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implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node.QTG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, ITO0032373, TD00068B) 

Control: An object of the Interims! Commerce Architecture that specifies business rules. Controls are 
applied at any time and at any point in the Chain of Handling and Control. InterTrust controls are 
dynamic, independent, and persistent. (ITG, 1 1/17/96, IT00035865, TD00189J) 

"Rules and Controls" means any electronic information that directs, enables, specifies, describes, and/or 
provides contributing means for performing or not-performing, permitted and/or required operations 
related to Content, including, for example, restricting or otherwise governing the performance of 
operations, such as, for example, Management of such Content (License Agreement, 
mterTrust/Universal Music Group, 4/13/99, Exhibit 1 1 to InterTrust 30(bX6)) 

"A set of control elements corresponding to all of the property elements of a property. There may be 
zero or more controls for a given property." (IT 28204) 

"Defines rules and consequences for operations on a Property Chunk ... A single control applies to 
exactly one Property Chunk" (IT 28293) 

"CONTROL(S): Controls refer to the rules and consequences associated with DigiBox containers. 
Controls may be applied dynamically. . ." (IT 35961) 

"CONTROL: The rules associated with a governed entity such as a DigiBox container, property, or 
another control . . . applied dynamically. InterTrust controls are dynamic, independent, and persistent." 
(IT 35920) 

" . . controls implement business rules" (IT 35892) 

Webster's New World Dictionary of Computer Terms, 4th Ed. (1992) ("The function of performing 
required operations when certain specific conditions occur or when interpreting and acting upon 
instructions."); 1T00125, IT31410-14, IT703083-89, IT5 1721 -26, IT0073 5936 (key), IT51956 et seq., 
IN0075983-87, IN0075989-93; The Dictionary of Computing & Digital Media (1999) (control card) 

See also Microsoft PLR 4-2 Exhs. E & F as revised, and InterTrust's Rule 30(b)(6) testimony. 


controlling, 
control (v.) 

861.58, 193.1 


Intrinsic: 

"ROS 602 includes software intended for execution by SPU microprocessor 520 for, in part, 
controlling usage of VDE related objects 300 by electronic appliance 600. As will be explained, these 
SPU programs include "load modules" for performing basic control functions." ( 4 193 66:5-8) 

"VDE prevents many forms of unauthorized use of electronic information, by controlling and 
auditing (and other administration of use) electronically stored and/or disseminated information." 
CI 93 11:60-63) 

. ('193 15:41-46); ('193 20:27-28); ('193 56:26-28); ('193 57:18-22) ( 4 193 4:51-56); ('193 6:33-35); 
C193 15:41-46); ('193 17:22-28); (* 193 20:27-28) 

Extrinsic: 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions. (IBM) 

Control: In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Control: A business rule that governs the use of content. (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element. The term control can apply 
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to either a control program or a control set. (ITG, 1997-2000, ML00012D) 

Control: * Control Element. A data structure that giverns {sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). " Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
clement, a control parameter, or the data representing a control mechanism. * Control Parameter; A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter, a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/1995, 
IT0070961 8, see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node. (ITG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, IT00032373, TD00068B) 


copied file 
193.11 


lntrinsic: 
Extrinsic: 

Copy: A product of a document copying process.(IBM) 


copy, copied, 
copying 

193.1, 193.11, 
193.15, 193.19 


Intrinsic: 

"These rights govern use of the VDE object 300 by that user or user group. For instance, the user 
may have an "access" right, and an "extraction" right, but not a "copy" right." (M93 159:23-26) 

"At the same time, electronic testing will allow users to receive a copy (encrypted or 
unencrypted) of their test results when they leave the test sessions." ('1 93 3 1 9: 12-1 5) 

- 0193 129:3-8); ('193 claim 60); ('193 53:60-62); (M93 131:65-132:1) 

Extrinsic: 

Copy: A product of a document copying process.(IBM) 


copy control 
193.1 


Intrinsic: 

- "If the user's budget permits the extraction ("yes" exit to decision block 2088), then the EXTRACT 
method 2080 creates a copy of the extracted object with specified rules and control information (block 
2094). In the preferred embodiment, this step involves calling a method that actually controls the 
copy." ('193 194:36-42) 

Extrinsic: 

Copy Control: In the 3800 Printing Subsystem, the functions that determine the number of copies to be 
printed for each data set, and which copies will be printed with a forms overlay or have copy 
modification. (IBM) 

Control: A business rule that governs the use of content (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element. The term control can apply 
to either a control program or a control set. (ITG, 1997-2000, ML00012D) 

Control: * Control Element: A data structure that giverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). * Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. * Control Parameter: A 
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data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter, a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/95, IT00709618, 
see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node.flTG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, IT00032373, TDOD068B) 


data item 
891.1 


Extrinsic: 

Data Item: 1 . The smallest unit of named data that has meaning in the schema or subschema. 2. A unit 
of data, either a constant or a variable, to be processed. 3. In the AIX operating system, a unit of data to 
be processed that includes constants, variable, or array elements, and character substrings. 6. 
Synonymous with host variable. (IBM) 

Data Item: In databases, the smallest unit of data that has independent meaning. (Longley) 

Item List: A list of data included with various objects. Item lists take two forms. When they are first 
created, they are in the form of lists that contain one or more data items. When you are finished 
creating the list, you convert the list to a blob, which is a set of raw bits that store the data in a compact 
way. To retrieve hems from the item list, you use the Interoperability Library item list functions, which 
convert the blob back to its interpreted list form and allow you to inspect the data items. (ITG, 1997- 
1998,ML00012B) 

Data Item: An Element-derived bag of bits. (e.g., budget , meter, etc.) (ITG, 5/12/95, IT00028293) 


derive, derives 
900.155 


Intrinsic: 

"Such control information can continue to manage usage of container content if the container is 
"embedded" into another VDE managed object, such as an object which contains plural embedded VDE 
containers, each of which contains content derived (extracted) from a different source." ('193 28:60-65) 

Extrinsic: 


descriptive data 
structure 

861.58 


Intrinsic: 

"The descriptive data structure can be used as a "template" to help create, and describe to other nodes, 
rights management data structures including being used to help understand and manipulate such rights 
management data structures." ( l 86I 5:43-46) 

"Claims [1,10,25,26] are rejected under 35 U.S.C. 102(b) as being clearly anticipated by the common 
and decades-old practice of using database schema to describe the structure of a database which 
requires password/identifications for access. ... Claims [1-17,25-26] are rejected under 35 U.S.C. 
1 02(a) as being anticipated by Anderson et al (Anderson), USP 5,537,526, Method and Apparatus for 
Processing a Display Document Utilizing a System Level Document. The claims are rejected on the 
basis of the correspondence between the teachings of Anderson and the elements of the claims as 
follows: As to claim 1 (and 10), the TabstractModel 502 is a machine readable, abstract descriptive 
data structure which interoperates with Tmodels 506 (TM), and TmodelSurrogates 504 (TMS). ... 
These models are clearly data structures, and while they can be of many types, the data they manage 
can include restrictions that correspond to rights management." (08/805,804 ('861), Office Action, 
06/25/98, p. 2-3) 

- "The above-referenced Ginter et al. patent specification describes, by way of non-exhaustive 
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example, "templates" that can act as a set (or collection of sets) of control instructions and/or data for 
object control software. See, for example, the "Object Creation and Initial Control Structures," 
"Templates and Classes," and "object definition file," "information" method and "content" methods 
discussions in the Ginter et al. specif! cation. The described templates are, in at least some examples, 
capable of creating (and/or modifying) objects in a process that interacts with user instructions and 
provided content to create an object Ginter et aL discloses that templates may be represented, for 
example, as text files defining specific structures and/or component assemblies, and that such 
templates — with their structures and/or component assemblies— may serve as object authoring and/or 
object control applications. Ginter et al. says that templates can help to focus the flexible and 
configurable capabilities inherent within the context of specific industries and/or businesses and/or 
applications by providing a framework of operation and/or structure to allow existing industries and/or 
applications and/or businesses to manipulate familiar concepts related to content types, distribution 
approaches, pricing mechanisms, user interactions with content and/or related administrative activities, 
budgets, and the like. This is useful in the pursuit of optimized business models and value chains 
providing the right balance between efficiency, transparency, productivity, etc. 

The present invention extends this technology by providing, among other features, a machine 
readable descriptive data structure for use in association with a rights management related (or other) 
data structure such as a secure container" ('861 4:65) 

- "For example, the FIG. 2 A example descriptive data structure headline definition 202a does not 
specify a particular headline (e.g., "Yankees Win the Pennant!"), but instead defines the location (for 
example, the logical or other offset address) within the container data structure 100a (as well as certain 
other characteristics) in which such headline information may reside ('861 10:54-59); 

- "These descriptive data structure ("DDS") templates may be used to create containers." ('861 6:26- 
32); 

_ 44 thc descriptive data structure may be used in a creation process 302. The creation process 302 may 
read the descriptive data structure and, in response, create an output file 400 with a predefined format 
such as, for example, a container 100 corresponding to a format described by the descriptive data 
structure 200." ( 4 86 1 1 1 :60-64) 

- "The output of the layout tool 300 may be a descriptive data structure 200 in the form of, for 
example, a text file. A secure packaging process 302a may accept container specific data as an input, 
and it may also accept the descriptive data structure 200 as a read only input. The packager 302a could 
be based on a graphical user interface and/or it could be automated. The packager 302a packages the 
container specific data 314 into a secure container 100." (* 861 12:9-16) 

- "FIG. 24 shows an example of a user data element (UDE") 1200 provided by the preferred 
embodiment. As shown in FIG. 24, UDE 1200 in the preferred embodiment includes a public header 
802, a private header 804, and a data area 1206. The layout for each of these user data elements 1200 
is generally defined by an SGML data definition contained within DTD 1 108 associated with one or 
m ore load modules 1 1 00 that operate on the UDE 1 200." (* 1 93 1 43 :2 1 -28) 

- "The publisher 3308 may create or otherwise provide content and/or VDE control structure 
templates that are delivered to the local repository 3302 for use by other participants who have access 
to the "internar network. The templates may be used to describe the structure of containers, and may 
further describe whom in the publisher 3308's organization may take which actions with respect to the 
content created within the organization related to publication for delivery to (and/or referencing by) 
the repository 3302. For example, the publisher 3308 may decide (and control by use of said temple) 
that a periodical publication will have a certain format with respect to the structure of its content and 
the types of information that may be included (e.g. text, graphics, multimedia presentations, 
advertisements, etc.), the relative location and/or order of presentation of its content, the length of 
certain segments, etc. Furthermore, the publisher 3308 may, for example, determine (through 
distribution of appropriate permissions) that the publication editor is the only party that may grant 
permissions to write into the container, and that the organization librarian is the only parry that may 
index and/or abstract the content." (' 3 93 294:65-295: 1 8) 

- "templates may be represented as text files defining specific structures and/or component 
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assemblies. Templates, with their structure and/or component assemblies may serve as VDE object 
authoring or object control applications. ( 4 193 260:36-47) 

- . .The result of object definition 1 240 may be an object configuration file 1 240 specifying certain 
parameters relating to the object to be created. Such parameters may include, for example, map 
tables, key management specifications, and event method parameters. The object construction stage 
1230 may take the object configuration file 1240 and the information or content to be included within 
the new object as input, construct an object based on these inputs, and store object repository 728." 
('193 1 03:38-46) 

"In accordance with one example, the machine readable descriptive data structure provides a 
description that reflects and/or defines corresponding structured) within the rights management data 
structure. For example, the descriptive data structure may provide a recursive, hierarchical list that 
reflects and/or defines a corresponding recursive, hierarchical structure within the rights management 
data structure. In other examples, the description(s) provided by the descriptive data structure may 
correspond to complex, multidimensional data structures having 2,3, or n dimensions. The descriprive 
data structure may directly and/or indirectly specify where, in an associated rights management data 
structure, corresponding defined data types may be found. The descriptive data structure may further 
provide metadata that describes one or more attributes of the corresponding rights management data 
and/or the processes used to create and/or use it In one example , the entire descriptive data structure 
might be viewed as comprising such metadata.* 1 ('8615:57-6:7) 

- CI93 245:44-51); ( 4 683 32:41-53); C861 5:25-41); C861 10:49-59); ('861 12:9-1 1); ('861 13:21- 
27); ('861 20:25-47); ('193 259:37-51); ('193 298:41-62); ('193 103:3-32); (' 193 285:9-35); (' 193 
193:49-59); ('193 287:37-41) 

Extrinsic: 


designating 
721.1 


Intrinsic: 
Extrinsic: 


device class 
721.1 


Intrinsic: 

"Furthermore, Applicants respectfully submit that some of the terms cited by the Examiner as 
"indefinite" are either well-known by persons skilled in the art or inherently clear. For example, in 
Claims 1-4, 22-25, the terra "class" is used as part of the phrase "device class." Applicants respectfully 
submit that "device class" is inherently clear, meaning a group of devices which share at least one 
attribute. (U8/ooy, /M ( ii I), Amendment, iw/ 14/yy, p. 14} 

Extrinsic: 

Device: 1 . A mechanical, electrical, or electronic contrivance with a specific purpose.(IBM) 
. Device class: The generic name for a group of device types.(lBM) 

Device type: 1 . The name for a kind of device sharing the same model number,-for example, 23 1 1 , 
2400,2400-1. Contrast with device class. (2) The generic name for a group of devices; for example, 
5219 for IBM 5219 Printers. Contrast with device class. (IBM) 


digital file 

193.1, 193.11, 
193.15, 193.19 


Intrinsic: 
Extrinsic* 

File: "A complete, named collection of information, such as a program, a set of data used by a program, 
or a user-created document. A file is the basic unit of storage that enables a computer to distinguish one 
set of information from another. A file is the "glue" that binds a conglomeration of instructions, 
numbers, words, or images into a coherent unit that a user can retrieve, change, delete, save, or send to 
an output device." (Microsoft Computer Dictionary, 3 rd ed, 1997) 


digital signature, 
digitally signing 


Intrinsic: 

"There exist many well known processes for creating digital signatures. One example is the Digital 
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721.1 


Signature Algorithm (DSA). DSA uses a public-key signature scheme that performs a pair of 
transformations to generate and verify a digital value called a "signature.'* (*721 10:60-64) 

- ('721 4:64-67); ('721 1 1:7-22); (*721 14:49-60); ('721 14:64-15:2) 

"Certificates play an important role in the tmstedness of digital signatures, and also are important 
in the public-key authentication communications protocol (to be discussed below). Id the preferred 
embodiment, these certificates may include information about the trustedness/level of security of a 
particular VDE electronic appliance 600 (e.g., whether or not it has a hardware-based SPE 503 or is 
instead a less trusted software emulation type HPE 655) that can be used to avoid transmitting certain 
highly secure information to less trusted/secure VDE installations " ( 4 1 93 203:5 8-67) 

Extrinsic: 

Digital Signature: In computer security, encrypted data, appended to or part of a message, that enables a 
recipient to prove the identity of the sender. (IBM) 

Digital Signature: 1. In authentication, data appended to, or a cryptographic transformation of, a data 
unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect 
against forgery. 2. In authentication, a data block appended to a message, or a complete encrypted 
message, such that the recipient can authenticate the message contents and/or prove that it could only 
have originated with the purported sender. (Longley) 

"Let B be the recipient of a message M signed by A, then A* s [digital] signature must satisfy three 
requirements: 

1. B must be able to validate A's signature on M. 

2. It must be impossible for anyone, including B, to forge A's signature. 

3. In case A should disavow signing a message M, it must be possible for a judge or third parry to 
resolve a dispute arising between A and B. 

A digital signature therefore establishes sender authenticity 0 it also establishes data authenticity ." 
(Denning, p. 14) 7 

"A cipher in unconditionally secure if, no matter how much ciphertext is intercepted, there is not 
enough information in the ciphertext to determine the plaintext uniquely." (Denning, p. 5) (Davies p 
41,380) 

"A cipher is computationally secure, or strong, if it cannot be broken by systematic analysis with 
available resources" (Denning, p.5) (Davies, p.4 1 , 3 70) 


entity's control 
891.1 


Intrinsic: 

- "A public-key certificate is someone's public key "signed" by a trustworthy entity such as an authentic 
PPE 650 or a VDE administrator. " (' 3 93 203 :42-45) 

- "Distribution involves three types of entity. Creators usually are the source of distribution. The 
typically set thexontrol structure "context" and can control the rights which are passed into a 
distribution network. Distributors are users who form a link between object (content) end users and 
object (content) creators. They can provide a two-way conduit for rights and audit data. 
Clearinghouses may provide independent financial services, such as credit and/or billing services, and 
can serve as distributors and/or creators. Through a permissions and budgeting process, these parties 
collectively can establish fine control over type and extent of rights usage and/or auditing activities." 
C 193 267:34-45) 

Extrinsic: 

Control: A business rule that governs the use of content. (ITG, 1997-1998, ML00012B) 

Control: A set of rules and consequences that apply to a governed element. The term control can apply 



7 "Denning" herein refers to Denning, D., Cryptography and Data Security, 1983, MSI085569. 
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to either a control program or a control set (ITG, 1997-2000, ML00012D) 

Control: * Control Element. A data structure that grverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). * Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. * 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. * Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter, a creator using that 
mechanism could alter the parameter but not change the mechanism itself. (ITG, 3/7/95, IT00709618, 
see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node. (ITG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/2 1/95, IT00032373, TD00068B) 


environment 

912.35,900.155, 

891.1,683.2, 

721.34 


mtrinsic: '721 file history Rejection 10/15/98, Amendment 4/19/99 at 13-15 
Extrinsic: 

"Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment" 
(ITG, 8/21/95, IT00032375, TD00068B) 


executable 

programming, 

executable 

912.8,91235, 
721.34 


Intrinsic: 

- "Furthermore, applicants* independent claims 16, 36, 37 and 64 require secure delivery and use of 
plural executable items. See claim 16 ("securely delivering a first procedure ... securely delivering ... 
a second procedure separable or separate from said first procedure... w ); claim 36 ("securely delivering 
plural executable procedures ... "), claim 37 ("securely delivering a first piece of executable code ... 
securely delivering a second piece of executable code ...") and claim 64 ("securely receiving a first 
load module ... securely receiving a second load module ..."). These features are not taught or 
suggested by either Rosen or Johnson. Johnson's databases comprise data, not executable code." 

(08/388,107, Amendment, 06/20/97, p. 24-25) (MSI028S48-49) 

"In addition, Applicants would like to draw the Examiner's attention to other sections of the 
specification in support of words or phrases cited by the Examiner as "indefinite.'* ... The noun 
"executable," as used in Claims ... 34-36 is defined in the specification on page 7." (pg. 13-14) 
(page 7 of the original specification is '721 2:62-3:13 of the issued patent) 
(08/689,754 ('721), Amendment, 04/14/99, p. 14) 

Execute: 1. To perform the actions specified by a program or a portion of a program.(IBM) 

Executable: 1. Program that has been link-edited and therefore can be run in a processor; The set of 
machine language instructions that constitute the output from the compilation of a source 
program. (IBM) 

Executable Programming: 1 . A program that has been link-edited and therefore can be run in a 
processor. 2. The set of machine language instructions that constitute the output from the compilation 
of a source program.(IBM) 


execution space, 
execution space 


Intrinsic: 

"One important security layer involves ensuring that certain component assemblies 690 are formed, 
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identifier 
912.8 


loaded and executed only in secure execution space such as provided within an SPU 500." (* 1 93 ! 
87:35-38) 

"The following is an example of a possible field layout for load module public header 802: . . . 
Execution Space Code: Value that describes what execution space (e.g., SPE or HPE) mis load module 
(sic)." ( 4 193 140:15-35) 

"The Ginter et al. patent disclosure describes, among other things, techniques for providing a 
secure, tamper resistant execution spaces within a "protected processing environment" for computer 
programs and data. The protected processing environment described in Ginter et al. may be hardware- 
based, software-based, or a hybrid. It can execute computer code the Ginter et al. disclosure refers to 
as "load modules."" ('721 3:16-23) 

"Furthermore, Applicants respectfully submit that some of the terms cited by the Examiner as 
"indefinite" are either well-known by persons skilled in the art or inherently clear. ... Furthermore, 
Applicants respectfully submit that the term "execution spaces," as used in Claim 32, is well-known in 
the art. It refers to a resource which can be used for execution of a program or process." 

08/689,754 ('721), Amendment, 04/14/99, p. 14 

- ('193 86:39-47); ('193 88:38-43); ('193 104:39-44); ('193 140:37-50) 

"The SPE (HPE) load module execution manager ("LMEM") 568 loads executables into the 
memory managed by memory manager 578 and executes them. LMEM 568 provides mechanisms for 
tracking load modules that are currently loaded inside the protected execution environment. LMEM 568 
also provides access to basic load modules and code fragments stored within, and thus always available 
to, SPE 503. LMEM 568 may be called, for example, by load modules 1 100 that want to execute other 
load modules." (' 1 93 11 1 20-28) 

"The internal ROM 532 and RAM 534 within SPU 500 provide a secure operating environment 
and execution space." (' 1 93 69:33-35) 

SPU 500 genera] purpose RAM 534 provides, among other things, secure execution space for 
secure processes. 0193 70:43-44) 

Extrinsic: 

Execution: The process of carrying out an instruction or instructions of a computer program by a 
computer.(IBM) 

Tanenbauro 


governed item 
683.2 


Intrinsic: 

- See "Allow" 

- "If an image representation of a signature is stored on portable media or in a directory service, the 
image may be stored in an electronic container 302. Such a container 302 permits the owner of the 
signature to specify control information that governs how the signature image may be used." ('683 
27:29-) 

- VDE control information which governs the use, and consequences of use, of VDE controlled 
content." ('193 288:5-12) 

- ('193 128:41-45) 
Extrinsic: 

Govern: To iniii ate the execution of controls. (ITG, 10/2/96, IT00035894, TD00189F) 

Governance: The act of applying controls. Governance is the fundamental activity of the InterTrust 
Commerce Architecture. (ITG, 1 1/1 7/96, IT00035867, TD00189J) 

Governed Element* An InterTrust Commerce Architecture object to which governance is applied. 
DigiBox containers, content, control sets, and control records are the primary examples of governed 
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elements. (ITG, 11/17/96, IT00035867, TD00189J) 
Defined consistent (IT 35962) 


Halting 
900.155 


Intrinsic: 

- "Dynamic Check of Association Between Appliance and PPE Instance: The executing operational 
materials 3472 may next compare an embedded electronic appliance signature S1G* against the 
electronic appliance signature SIG stored in the electronic appliance itself (FIG- 69K, decision block 
3564). As discussed above, this technique may be used to help prevent operational materials 3472 
from operating on any electronic appliance 600 other than the one it was initially installed on. PPE 650 
may disable operation if this machine signature check fails ("no" exit to decision block 3564, FIG. 
69K; disable block 3566)." ('900 243:3(M 1) 

"When an inconsistency is detected ( n yes w exit to decision block 3590, FIG. 69L), PPE 650 can take 
appropriate action such as locking itself up from further use until reconstructed under the trusted 
server's control (FIG. 69L, disable block 3591)." ('900 247:50-54) 

Extrinsic: 

Halt Indicators: In RPG, an indicator that stops the program when an unacceptable condition occurs. 
Valid halt indicators are H1-H9 (IBM) 

Halt Instruction: 1 . A machine instruction that stops execution of a program. 2. Synonym for pause 
instruction. .(IBM) 


host processing 
environment 

900.155 


Intrinsic: 

- ('193 63:13-17); ( 4 193 79:60-67); 0193 81:4-8); ('900 230:57-61); ( l 900 23 1:23-31); ('900 
236:505-53) 

- "HPE(s) 655 and SPE(s) 503 are self-contained computing and processing environments that may 
include their own operating system kernel 688 including code and data processing resources." ('193 
79:36-39) 

- "HPEs 655 may be provided in two types: secure and not secure." (* 193 80:8-9) 

- (* 1 93 79:31); C 193 80:22-36); ( 4 193 80:40-65, Fig. 10);(*193 88:31-43); ('193 104:39-44) 

Extrinsic: 

Host processor : 1 . A processor that controls all or part of a user application network. 2. In a network, 
the processing unit in which resides the access method for the network. 4. A processing unit that 
executes the access method for attached communication controllers.(IBM) 

"Host Processing Environment (HPE): A software-only realization of the PPE, protected from 
tampering by appropriate software techniques. No longer preferred because of the potential confusion 
between the "H" in the acronym and "H" as in "Hardware" (which this isn't). [REPLACEMENT 
UNCERTAIN]" (ITG, 3/7/95, IT0070962 1 ) 8 

"Secure Processing Environment (SPE): A hardware-supported realization of the PPE, protected from 
tampering by physical security techniques. No longer preferred because of the potential confusion 
between the "S" in the acronym and M S" as in "Software" (which this isn't). [REPLACEMENT 
UNCERTAIN]" (ITG, 5/12/95, IT00028302) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. 

The node is also termed the environmeni. (ITG, 8/21/95, IT00032375, TD00068B) 


identifier, 
identify, 


mtrinsic: 



6 Obsolete Terminology Section: "This section identifies terms that have been used in earlier documents to describe 
various VDE concepts, but that are, for various reasons, no longer preferred." 
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identifying 

193.HJ93.15, 
912.8, 91235, 
861.58 


"Portable appliance 2600 RAM 534 may contain, for example, information which can be used to 
uniquely identify each instance of the portable appliance. This information may be employed (e.g. as 
at least a portion of key or password information) in authentication, verification, decryption, and/or 
encryption processes." (' 193 230:22-27) 

- (*193 25:31-38); (*193 37:27-31); (M93 11 1:47-67) (M 93 111:59-67); (' 193 124:8-18); (' 193 
131:40-45); ('193 139:41-55); ('193 214:39-41)0861 12:63-13:4); (' 193 67:21-26); (' 193 209:63-67); 
('193 214:39-41) 

Extrinsic: 

Identifier 1. One or more characters used to identify or name a data element and possibly to indicate 
certain properties of that data element 2. In programming languages, a token that names a data object 
such as a variable, an array, a record, a subprogram or a function. (IBM) 

Identifier 1. In computing, a character or group of characters used to identify, indicate or name a body 
of data. 2. In computing, a name or string of characters employed to identify a variable, procedure, 
data structure or some other element of a program. (Longley) 


including 

193.1 (at 320:63, 
and 321:3); 
393.19 (at 
324:15); 

912.8 (at 32736, 
39, and 41); 
912.35 (330:35 
and 39); 

861.58 (at 26:53 
and 63); and 

683.2 (at 63:60), 


Intrinsic: 

Prosecution History of 4 900 Patent: 

Changed "including" to "comprising" "to avoid any possible ambiguity relating to whether the control 
information must be 4 inside* the secure object" 
Amendment to allowed claim 60, 10/29/98. 

"Load modules 1 100 in the preferred embodiment comprise executable code, and may also include 
or reference one or more data structures called "data descriptor" ("DTD") information." ( 4 193 136:53- 
56) 

"include or reference" ('861 15:21) 
"including or addressing" (claim 58); 
"includes a reference to" (claim 69); 

"Secure database 61 0 in the preferred embodiment does not include VDE objects 300, but rather 
references VDE objects stored, for example, on file system 687 and/or in a separate object repository 
728." C 193 126:26-65) 

- 0 193 131:18-20) 

Extrinsic: 

"3. To consider with or place into a group, class, or total: thanked the host for including us." (Amer. 
Heritage Dictionary, 4 th ed.) 


information 
previously stored 

900.155 


Intrinsic: 
Extrinsic: 

Information* 1 In information nroces^inp knowledge concerning such things as facts concent* 
objects, events, ideas, and processes, that within a certain context has a particular meaning. (IBM) 

Information: 1. Any communication or reception of knowledge such as facts, data, or opinions, 
including numerical, graphic, or narrative forms, whether oral or maintained in any medium, including 
computerized data bases, paper, microform, or magnetic tape. 3. Knowledge 
that was unknown to the receiver prior to its receipt. Information can only be derived from data that is 
accurate, timely, relevant and unexpected.(Longley) 

Store: 1. To place data into a storage device. 2. To retain data in a storage device. 
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integrity 
programming 

900.155 


Intrinsic: 

- "Upon initialization, the operational materials 3472 validate the embedded signature vahie against 
the actual electronic appliance 600 signature S1G, and may refuse to start if the comparison fails." 
('900 239:21-25)' 

. "an otherwise unused section of the non- volatile CMOS RAM 656a may be used to store a 
signature 3497d. Signature 3497d is verified against the PPE 650's internal state whenever the PPE is 
initialized." 0900 239:51-55) 

- "Dynamic Check of Association Between Appliance and PPE Instance: The executing operational 
materials 3472 may next compare an embedded electronic appliance signature SIG' against the 
electronic appliance signature SIG stored in the electronic appliance itself (FIG. 69K, decision block 
3564) As discussed above, this technique may be used to help prevent operational materials 3472 
from operating on any electronic appliance 600 other than the one it was initially instated on. PPE 650 
may disable operation if this machine signature check fails ("no" exit to decision block 3564, FIG. 
69K; disable block 3566). w ('900 243:30-41) 

- ('193 80:45-48) 

Extrinsic: 

Integrity: The protection of systems, programs, and data from inadvertent or malicious destruction or 
alteration.(IBM) 

Integrity- 1 In data security, that computer security characteristic that ensures that computer resources 
operate correctly and that the data in the databases are correct 2a. In data security, the capability of an 
automated system to perform its intended function in a unimpaired manner, free from deliberate or 
inadvertent unauthorized manipulation of the system. 2b. In data security, inherent quality of 
protection that ensures and maintains the security of entities of a computer system under all 
conditions.(Longley) 

Programming: 1. A sequence of instructions suitable for processing by a computer. 2. In programming 
languages, a logical assembly of one or more interrelated modules. 4. A sequence of instructions that a 
computer can interpret and execute.(IBM) 

Programming: The process by which a computer is made to perform a specialized task. It involves the 
creation of a formalized sequence of instructions which can be recognized and implemented by the 
machine. (Longley) 

Integrity: The ability to verify that data is unmodified from its intended value. (ITG, 5/12/95, 
IT00028294) 

, . T „ -j:„:*_i rnntp-nt o ctaf#» in Whirh that content is unmodified and operations on 

Integrity* In relation to digital content, a siaie m wniuu uwi wumwn « uimiuu.i>v U ^ 

the content are performed only as specified by the rightsholders. DigiBox containers ensure integrity. 
(ITG, 10/2/96, 1T00035895, TD00189F) 

Integrity: definition varies slightly, best seems to be - A state in which content is unmodified and 
operations on properties are performed only as specified by the rights holders (IT 35922). 

Integrity: The assurance that content in a DigiBox container or content being processed by an IT 
content node has not been tampered with. (IT 35868) 


key 
193.19 


Intrinsic: 
"Key Types 

The detailed descriptions of key types below further explain secret-key embodiments; this summary is 
not intended as a complete description. The preferred embodiment PPE 650 can use different types of 
keys and/or different "shared secrets" for different purposes. Some key types apply to a Public- 
Key/Secret Key implementation, other keys apply to a Secret Key only implementation, and still other 
key types apply to both. The following table lists examples of various key and "shared secret" 
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information used in the preferred embodiment, and where this information is used and stored: 

Used in PK or Example Storage 
Key/Secret Information Type Non-PK Location is) 
Master Key(s) (may include Both PPE 

some of the specific keys Manufacturing facility 
mentioned below) VDE administrator 
Manufacturing Key Both (PK PPE (PK case) 

optional) Manufacturing facility 

Certification key pair PK PPE 

Certification repository 

Public/private key pair PK PPE 

Certification repository 
(Public Key only) 

Initial secret key Non-PK PPE 

PPE manufacturing ID Non-PK PPE 

Site ID, shared code, shared Both . PPE 

keys and shared secrets 

Download authorization key Both PPE 

VDE administrator 
External communication Both PPE 
keys and other info Secure Database 
Administrative object keys Both Permission record 
Stationary object keys Both Permission record 
Traveling object shared keys Both Permission record 
Secure database keys Both PPE 
Private body keys Both Secure database 

. Some objects 

Content keys Both Secure database 

Some objects 

Authorization shared secrets Both Permission record 

Secure Database Back up Both PPE 

keys Secure database" 

0193 211:32 - 212:11) 

- (' 193 211:18-212:18); (*193 193:8-23); ('193 207:50-60); ('193 208:38-40) 
Extrinsic: 

Keys: The permissions record also contains the fundamental decryption keys for an object It may 
contain the keys for the object content or keys to decrypt portions of the object that contain other keys 
that then can be used to decrypt the content of the object Usage of the keys is controlled by the 
Control Sets in the same permissions record. There are many more aspects to the keys in the 
permissions record that are beyond the scope of this document (VDE ROI DEVICE vl .0a 9 Feb 1994, 
IT00008601) 

Key: 7. In computer security, a sequence of symbols used with a cryptographic algorithm for 
encrypting or decrypting data. (IBM) 

Key: 1 . In cryptography, a sequence of symbols that controls the operations of encipherment and 
decipherment. 2. In cryptography, a symbol or sequence of symbols (or electrical or mechanical 
correlates of symbols) that control the operations of encryption and decryption). (Longley) 


load module 
912.8, 721J 


Intrinsic: 

Prosecution History of Application 08/388,107 ('912 Patent is continuation) 

"Furthermore, applicants' independent claims 16, 36, 37 and 64 require secure delivery and use of 
plural executable items. See claim 16 ("securely delivering a first procedure ... securely delivering ... 
a second procedure separable or separate from said first procedure..."); claim 36 ("securely delivering 
plural executable procedures ..."), claim 37 ("securely delivering a first piece of executable code ... 
securely delivering a second piece of executable code ...") and claim 64 ("securely receiving a first 
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load module ... securely receiving a second load module ..."). These features are not taught or 
suggested by either Rosen or Johnson. Johnson's databases comprise data, not executable code. 1 * 

08/388,107, Amendment, 06/20/97, p. 24-25 (MSI02S 848-49) 

"Load module 1 100 contains code and static data (that is functionally the equivalent of code), and 
is used to perform the basic operations of VDE 100. Load modules 1 100 will generally be shared by 
all the control structures for all objects in the system, though proprietary load modules are also 
permitted. Load modules 1 100 may be passed between VDE participants in administrative object 
structures 870, and are usually stored in secure database 610. They are always encrypted and 
authenticated in both of these cases. When a method core 3000' references a load module 1 100, a load 
module is loaded into the SPE 503, decrypted, and then either passed to the electronic appliance 
microprocessor for executing in an HPE 655 (if that is where it executes), or kept in the SPE (if that is 
where it executes)." (' 1 93 1 39: 1 9-32) 

- ('193 20:27-30); ( 4 193 71:19-40); ('193 77:32-29) ('193 86:49-60); ( 4 193 87:43-62); ( l I93 309:24- 
45); ('193 11 1:20-28); ( 4 193 11 1:29-39); ( l 193 111:40-47); ('193 1 11:59-67); ( l 3 93 126:30); (193 
339:28-31); ('393 139:60-140:6); ( 4 193 140:1-6); (*193 140:44-50); ( 4 193 141:42-55); ('193 209:52- 
210:35); ('193 17:15-17); (' 193 20:27-30); (' 193 86:39-48); (' 193 139:41-51); ('193 151:20-22); ('721 
3:21-35) 

Extrinsic: 

Load module: 1 . All or part of a computer program or subprogram in a form suitable for loading into 
main storage for execution by a computer, usually the output of a linkage editor.(IBM) 

Load Module: A procedure, dynamically loaded or resident within the PPE, that performs or controls 
operations within the PPE. Some load modules are associated with individual objects or types of 
objects; others perform general utility operations. (ITG, 3/7/95, ITO070963 8 see footnote 2) 

"Load Module: shall mean an executable program that, when combined with control data and/or 
parameters, forms procedures or programs for performing specific types of control functions in 
compliance with EPR Specifications. Load Modules and their executable programs and associated 
control data and/or parameters are designed to, at least in part, be employed as one or more control 
elements which are used within a protected information transaction/distribution management 
arrangement" (License Agreement between National Semiconductor and EPR, 3/1 8/94, Exhibit 12 to 
InterTrust 30(b)(6)) 

"Load Module: The lowest level of a VDE control structure: an executable program that operates, 
under control of a method or another load module, to manipulate VDE-protected elements (which may 
be in containers otherwise)." (IT VDE Container Overview, 2/10/95, IT00051228, ETM-9999 Version 
0.21) 

"A load module is an executable program that manipulates VDE elements and content to perform a 
specific control function. A load module invoked as an external method is responsible for ensuring that 
all its related load modules, methods, elements, etc. are available and that all required option choices 
have been made." (IT VDE Container Overview, 2/10/95, IT00051234, ETM-9999 Version 0.21) 


Machine check 
programming 

900.155 


intrinsic: 

iLloLJlLLJC WiJCLA UUCo ilUL appeal III MjCLli JCaLiUU 

- "Correspondence Between Installed Software and Appliance "Signature". Another technique that 
may be used during the installation routine 3470 is to customize the operational materials 3472 by 
embedding a "machine signature" into the operational materials to establish a correspondence between 
the installed software on a particular electronic appliance 600 (FIG. 69C, block 3470(7)). ('900 239:4- 
14) 

- For electronic appliances 600 where it is feasible to do so, the installation procedure 3470 may 
determine unique information about the electronic appliance 600 (e.g., a "signature" S1G in the sense of 
a unique value — not necessarily a "digital signature" in the cryptographic sense)." ('900 239: 15-19) 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 21 of 100 



Claim Term 


MS Construction 




- "FIG. 69G shows an example of some of these appliance-specific signatures." ('900 239:41-42) 

- 'Dynamic Check of Association Between Appliance and PPE Instance: The executing operational 
materials 3472 may next compare an embedded electronic appliance signature SIG' against the » 
electronic appliance signature S1G stored in the electronic appliance itself (FIG. 69K, decision block 
3564). As discussed above, this technique may be used to help prevent operational materials 3472 from 
operating on any electronic appliance 600 other than the one it was initially installed on. PPE 650 may 
disable operation if this machine signature check fails ("no" exit to decision block 3564, FIG. 69K; 
disable block 3566)." ('193 243:30-) 

- "Signature 3497d may also be updated whenever a significant change is made to the secure database 
6 1 0. If the CMOS RAM signature 3497d does not match the database value, PPE 650 may take this 
mismatch as an indication that a previous instance of the secure database 610 and/or PPE 650 software 
has been restored, and appropriate action can be taken. ( -900 239:55-240:6) 

- ('900 240: 15-26); (900 Claim 1 83) 
Extrinsic: 

Machine check: An error condition that is caused by an equipment malfunction. (IBM) 


Metadata 
information 

861.58 


Inninsic: 

- "This metadata can define certain characteristics associated with the object name. For example, such 
metadata may impose integrity or other constraints during the creation and/or usage process (e.g., 
"when you create an object, you must provide this information", or M wben you display the object, you 
must display this information"). The metadata 264 may also further describe or otherwise qualify the 
associated object name." ('86115:21-31) 

-(861 Abstract); ('861 6:2-7); ('861 8:57-64); ('861 13:30-34); ('861 14:7-11); ('861 16:37-52) 
Extrinsic: 

Metadata: In databases, data that describe data objects. (IBM) 

Information: 1. In information processing, knowledge concerning such things as facts, concepts, 
objects, events, ideas, and processes, that within a certain context has a particular meaning.(IBM) 

Metadata: 1. In computing, data referring to other data (such as data structures, indices, and pointers) 
that are used to instantiate an abstraction (such as 'process/ 'task,' 'segment,* 'file,' or 'pipe') 2. In 
computing, a special database, also referred to as a data dictionary, containing descriptions of the 
elements. (Longley) 


opening secure 
containers 

683.2 


Intrinsic: 

- "Because container 152 can only be opened within a secure protected processing environment 154 
that is part of the virtual distribution environment described in the above-referenced Ginter et al. patent 
disclosure" ('712 168:22-25) 

- Special mathematical techniques known as "cryptography" can be used to make electronic container 
302 secure so that only intended recipient 4056 can open the container and access the electronic 
document (or other item) 4054 it contains. ('683 15:67-16:4) 

- The appliance 600 may then open the secure electronic container ("attache case") 302 and deliver 
me iiem n cuniains 10 recipient *fioo \riU. 7IJ3, djock hvjIiJ). \ Ooj? ) 

- Appliance 600 may then generate a "send" or "open" event to PPE 650 requesting the PPE to open 
container 302 and allow the user to access its contents. 

- ('193 185:7-30); ('193 185:42-46); ('683 19:27-32); ('193 183:28-29); ('193 183:55-57); ('193 
185:11-16) 

Extrinsic: 

Open: 1. The function that connects a file to a program for processing. 4. To prepare a file for 
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processing. (IBM) 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Container In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Container: contains protected content which is divided into one or more atomic elements, and 
optionally, PERCs governing the content and may be manipulated only as specified by a PERC. QTG, 
3/7/1995, JT0070961 6) 

Container A protected (encrypted) storage object that incorporates descriptive information, protected 
content, and (optionally) control objects applicable to that content. (ITG, 3/7/1995, IT00709617, see 
footnote 3) 

Container A protected digital information storage and transport mechanism for packaging content and 
control information. (ITG, 8/21/95, IT00032372, TD00068B) 


operating 
environment 

89IJ 


Intrinsic: 
Extrinsic: 

Operating Environment: The physical environment; for example, temperature, humidity, and 
layout.(IBM) 

Operating system: In computing, a collection of software programs intended to directly control the 
hardware of a computer and on which all the other programs running on the computer generally 
depend(Longley) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, IT00032375, TD00068B) 

Operation: A manipulation of some protected resource (e.g., content in a container or control records 
in a PERC) (IT VDE Container Overview, 2/10/95, IT0005 1228, ETM-9999 Version 0.21) 


organization, 
organization 
information, 
organize 

861.58 


Intrinsic: 

- "a descriptive data structure could serve as 'instructions' that drive an automated packaging 
application for digital content and/or an automated reader of digital content such as display priorities 
and organization (e.g., order and/or layout). w ('861 7:54-57); 

- For example, the descriptive data structure may provide a recursive, hierarchical list that reflects 
and/or defines a corresponding recursive, hierarchical structure within the rights management data 
structure ('861 5:57-63 )" — descriptive data structure may directly and/or indirectly specify where, in 
an associated rights management data structure, corresponding defined data types may be found." ( 4 861 
5:67-6:2); 

- Issued claim 1 : a first memory storing a descriptive data structure, said descriptive data structure 
including: information regarding a first organization of elements within a secure container, said 
information including: information on the organization of said elements within said secure container; 
and information on the location of at least some of said elements within said secure container" 

- Issued claim 34: "a representation of the format of data contained in a first rights management data 
structure said representation including: element information contained within said first rights 
management data structure; and organization information regarding the organization of said elements 
within said first rights management data structure; and information relating to metadata, said metadata 
including" 

- Issued claim 45 (dependent from 34-44): "said information regarding elements contained within 
said first rights management data structure includes information relating to the location of at least one 
such element" 

- Issued claim 73: "said descriptive data structure organization information includes information 
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specifying thai said first secure container contents will include at least a title and a text section referred 
to by said title." 

- Issued claim 74: "said descriptive data structure organization information includes information 
specifying mat said first secure container contents will include at least one advertisement." 

- Issued claim 75: "said descriptive data structure further includes information relating to the location 
at which said title, said text section and said advertisement should be stored in said first secure 
container." 

- Issued claim 76: "at least a portion of said descriptive data structure organization information 
includes information specifying fields relating to at least one atomic transaction" 

(•193 103:23-46) 

Extrinsic: 


portion 

193.1,193.11, 
193.15, 193.19, 
912.8,912.35, 
861.58 


Intrinsic: 
Extrinsic: 

Portion: "1. A section or quantity within a larger thing; a part of a whole. 2. A part separated from a 
whole." (American Heritage Dictionary 4 th Ed.) 


prevents 
721.34 


Intrinsic: 

- "VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in 
authorized ways, and (c) allow information regarding content usage to be used only in ways approved 
by content users." ( f 193 4:51-56) 

"VDE ensures that certain prerequisites necessary for a given transaction to occur are met" (' 1 93 
20:27-28) 

"For example, shrink-wrapping does not prevent the constant illegal pirating of software once 
removed from either its physical or electronic package." (' 193 5:60-62) 

"VDE, for example, provides the ability to prevent, or impede, interference with and/or observation of, 
important rights related transactions and processes. VDE, in its preferred embodiment" ('193 4:1-4) 

"After receiving enabling distribution control information from creator A, distributor A may 
manipulate an application program to specify some or all of the particulars of usage control information 
for users and/or user/distributors enabled by distributor A (as allowed, or not prevented, by senior 
control information)." (* 1 93 303:63) 

- ('193 6:33-35); ('193 15:41-46); ('193 17:22-28); ('193 309:10-16); ('193 303:63-304:1) 
Extrinsic: 


processing 
environment 
912:35, 900:155, 
721:34, 683.2 


Intrinsic: 

"Another approach to supporting COTS software would use the VDE software running on the 
user's electronic appliance to create one or more "virtual machine" environments in which COTS 
operating system and application programs may run, but from which no information may be 
permanently stored or otherwise transmitted except under control of VDE." ('193 279:26-40) 

"VDE may be combined with, or integrated into, many separate computers and/or other electronic 
appliances. These appliances typically include a secure subsystem that can enable control of content use 
such as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 
distributing, auditing usage, etc. The secure subsystem in the preferred embodiment comprises one or 
more "protected processing environments", ..." ('193 9:22) 

. (M93 9:22-29); ('683 24:26-33); ('193 60:51-64) 
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Extrinsic: 

Processing: 1. The performance oflogical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on.(IBM) 

Process: (1) in computing, the active system entity through which programs run. The entity in a 
computer system to which authorizations are granted; thus the unit of accountability in a computer 
system. 2. In computing, a program in execution. ... (4) In computing, a program is a static piece 
of code and a process is the execution of that code. (Longley) 

Environment: 1 . The aggregate of external circumstances, conditions, and objects that affect the 
development, operation, and maintenance of a system. 2. In computer security, those factors, both 
internal and external, of an ADP system that help to define the risks associated with its operation 
(Longley) 

Secure Processing Environment (SPE): A hardware-supported realization of the PPE, protected from 
tampering by physical security techniques. No longer preferred because of the potential confusion 
between the "S" in the acronym and "S" as in "Software" (which this isn't). [REPLACEMENT 
UNCERTAIN] (ITG, 5/12/95, IT00028302) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, 1T00032375, TD00068B) 


protected 
processing 
environment 
721:34,683.2 


See also "secure" 
Intrinsic: 

Prosecution History of Application 08/778,256 (continuation of l 891 Patent, issued at USP 5,949,876) 

"Independent claims 65 and 76 each recite a *pro tected processing environment/ ... GrifTeth 
et al. [U.S. PaL No. 5,505,837], Yamamoto [U.S. Pat. No. 5,508,913] and Wyman [U.S. Pat. No. 
5,260,999] do not disclose these aspects of these claims. 

The system disclosed in Grifieth et al is designed to allow negotiation to proceed in an 
environment in which a negotiating party does not disclose information about its negotiation goals to 
the other negotiating parry. ... GrifTeth et al. does not disclose any privacy protection mechanism and 
neither teaches nor suggests any secure processing environment or that any operations (e.g., integration 
or execution) occur securely. Indeed, Griffeth contains no suggestion that any protection mechanism is 
needed to maintain negotiation goals in privacy, since GrifTeth does not suggest that the other party 
may try to improperly discover information which is intended to remain private. 

Yamamoto states the following: "Here, the data is enciphered by the data encipher apparatuses 
26 so as to maintain confidentiality/ Col. 3, lines 46-47. Since Yamamoto makes no other reference 
to the encipherment, or to the apparatuses 26, it is impossible to determine how the data encipherment 
is used, or the roles it plays in the disclosed apparatus. From an examination of Fig. 3, however, it 
appears that the data encipher apparatuses 26 are placed on connections between a particular she and 
other, physically separated sites. For example, customer office 23b is connected to sub-center 22 by a 
line, which apparently represents a communication path. That line connects directly to a data encipher 
apparatus 26 in customer office 23b, and to another data encipher apparatus 26 in sub-cemer 22. 

Thus, it appears that the data encipher apparatuses 26 are used, in some undisclosed manner, to 
encipher at least some data which travels among physically separated locations, it is possioie to 
imagine, for example, that data is enciphered prior to being sent out on an insecure public transmission 
line, and is then deciphered once received in a new location. 

Yamamoto does not disclose, however, that the processing environments are themselves 
secure, or that either execution or integration occur in a secure manner or in a secure environment. 
Indeed, Yamamoto contains no suggestion that security within a processing environment would even be 
desirable. By suggesting that data is deciphered once it enters an office (e.g., office 23b), in fact, 
Yamamoto teaches away from a secure environment, since it would appear that the data is used "in the 
clear" within the office, with no suggested protection beyond a simple password for the computer. 
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Wyman is equally deficient regarding these elements. Although Wyman specifies that a license may 
contain a digital signature, therefore rendering the license unforgeable (Col. 14, lines 24-54), Wyman 
neither teaches nor suggests that the processing environment is hself secure or that any operations occur 
in a secure manner. The Wyman digital signatures no more suggest a secure processing environment 
than the requirement that paper contracts be signed in ink suggests that the contracts will be created, 
read or negotiated in a secure location." 

08/778,256 0876), Amendment, 01/20/98, p. 58-60 

- "The role of go-between 4700 may, in some circumstances, be played by one of the participant's 
SPUs 500 (PPEs), since SPU (PPE) behavior is not under the user's control, but rather can be under the 
control of rules and controls provided by one or more other parties other than the user (although in 
many instances the user can contribute his or her own controls to operate in combination with controls 
contributed by other parties)." ('683 24:26) 

- "SPU 500 provides a tamper-resistant protected processing environment ("PPE") in which processes 
and transactions can take place securely and in a trusted fashion." ( 4 683 1 6:60-62) 

- "The computer 3372 may then execute the operational materials 3472 from its hard disk 3376 to 
provide software-based protected processing environment 650 and associated software-based tamper 
resistant barrier 672) ('900 23 1 27-3 1 )); 

- ('193 20:58-63); ('193 21:11-17); ('721 7:19-23); ('721 16:64-17:5); 

- "HPE(s) 655 and SPE(s) 503 are self-contained computing and processing environments that may 
include their own operating system kernel 688 including code and data processing resources." ('193 
79:36-39) 

- (see Figs. 10 and 13), ('193 79:24), (30523, 105:43, 109:46); ('193 13:7-23); ('193 223:30-44) 

- "In one example, a person with a laptop 5 1 02 or other computer lacking a PPE 650 wishes 
nonetheless to take advantage of a subset of secure item delivery services." ('683 62:17-20) 

"Claims 7-11, ... 99-1 1 1 ... are rejected under 35 U.S.C. 103(a) as being unpatentable over Fischer 1 
(5,412,717) in view ofNarasimhalu et al (5,499,298). Fischer discloses a method and apparatus 
including a system monitor which limits the ability of a program about to be executed to the use of 
predefined resources, .... The set of authorities and restrictions are referred to as "program 
authorization information " or "PAI". ... A comparison of independent claim 7 to Fischer to derive the 
similarities and differences between the claimed invention and the prior art follows. ... memory 

containing a first rule corresponds to a first PAI under a first PCB Here, Fischer provides a secure 

container in the form of a program, i.e. a governed item, having an associated PAI, i.e. at least one rule 
associated with the secure container. A protected processing environment ("PPE") protecting at least 
some information contained in the PPE, see Fischer Terminal A, and including hardware and/or 
software used for applying said first rule and the secure container in combination to at least in part 
govern at least one aspect of access to or use of the governed item, see Fischer at Figure 5 and column 
10, lines 8-39 where the first rule in memory is first PCB providing a first PAI and the secure container 
is a program associated with a second PCB providing a first PAI and the secure container is a program 
associated with a second PCB having a second PAI associated with the governed item, i.e. the program. 
... The difference between claim 7 and Fischer is that the PPE disclosed in Fischer is not explicitly 
disclosed as protected from tampering by a user of the first apparatus, i.e. terminal A. The Narasimhalu 
patent (hereinafter '298) teaches a method and apparatus for controlling the dissimenation of digital 
information, [and] that the end user accesses the digital information with a tamper-proof controlled 
information access device." 

09/221,479 ('683), Office Action, 1 1/12/99, p. 3-5 (IT00065799-801) 

"With respect to the remaining issues, Applicants respectfully disagree. For example, the Examiner 
objects to the use of "environment" as indefinite and unclear. This word, however, is not used in 
isolation, but rather in the context of several longer phrases, all of which are defined in the 
specification. The phrase "protected processing environment," for example, is used in Claims 1 1 and 
15-18 and described on at least, for example, pages 7-8 and 25 of the specification. The term "virtual 
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distribution environment" used in Claim 1 1 is described, for example, on page 7 of the specification. 
The terms are also described in the commonly copending application Serial Number 08/388,1 07 of 
Ginter et ah, filed 13 February 1995, entitled "System and Methods for Secure Transaction 
Management and Electronic Rights Protection." A copy of the incorporated Ginter application can be 
provided to the Examiner upon request." 

(pages 7, 7-8 and 25 of the original specification are '721 2:62-3:13, 2:62-3 34 and 8:6-28 of the issued 
patent) 

"The role of go-between 4700 may, in some circumstances, be played by one of the participant's SPLTs 
500 (PPEs), since SPU (PPE) behavior is not under the user's control, but rather can be under the 
control of rules and controls provided by one or more other parries other than the user (although in 
many instan ces the user can contribute his or her own controls to operate in combination with controls 
contributed by other parties)." ( 4 683 2426) 

08/689,754 ('721), Amendment, 04/14/99, p. 13 

Extrinsic: 

Processing: 1. The performance of logical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on. (IBM) 

Environment: 1 . The aggregate of external circumstances, conditions, and objects that affect the 
development, operation, and maintenance of a system. 2. In computer security, those factors, both 
internal and external, of an ADP system that help to define the risks associated with its operation 
(Longley) 

IT used M tnT symbol with "Protected Processing Environment" (Panel Abstract: The InterTrust 
Commerce Architecture, presented at 20 th NISSC, 1 997) 

Environment See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/2 1/95, IT00032375, TD00068B) 

Protected Processing Environment (PPE) technology: The InterTrust technology that provides the 
protected software environment within the InterRights Point Protected Processing Environment 
technology is responsible for the encryption/decryption of data, protected processing of DigiBox 
containers, and other secure operations, such as protected database access. (TTG, 1997-1998, 
ML00012B) 

Protected Processing Environment (PPE): The PPE is the secure part of a VDE node: either a 
hardware or software-protected environment in which VDE mechanisms run without external 
interference. There are various PPE realizations (e.g., physically protected hardware) appropriate to 
different operational requirements (ITG, 3/7/1 995, IT007096 1 9, see footnote 2) 

Secure Processing Unit The physically secure hardware component of the SPE: a processor with local 
memory and non- volatile storage. The SPE consists of the SPU itself and the SPE software running on 
the SPU. (ITG, 3/7/1995, JT00709620, see footnote 2) 

"Protected Processing Environment (PPE): An InterTrust node has a unique node ID and contains a 
Protected Processing Environment (PPE) which performs operations on containers and control 
structures under rules specified by PERCs and which may be realized in a tamper resistant hardware 
component or in tamper-resistant software and a protected database, which stores control objects and 
InterTrust applications, operating outside the PPE, which manipulate content and control objects 
through requests to the PPE" (ITG, 4/06/95, IT00028206) 

"All the terms in italics have specific definitions (in the glossary) with respect to InterTrust" 
950406: Global replace of "VDE" with "InterTrust" to match new terminology. (ITG, 4/06/95, 
IT00028206) 

Protected Environment: A portion of the node software that uses, and protects, the protected node data 
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such as cryptographic keys. The protected environment is responsible for performing all the protected 
functions for manipulating containers and content; that is, all the operations governed by controls. 
(ITG, 5/12/95, IT00028294) 

Protected Processing Environment: (alternate definition): The protected environment in which the 
cryptographic and control functions of InterTrust run. The PPE may be protected environmentally 
(e.g., as a physically protected server machine) or may employ software-based tamper resistance 
techniques. (ITG, 8/2 1 /95, IT0OO323 77, TO00068B) 

Secure Processing Environment (SPE): A hardware-supported realization of the PPE, protected from 
tampering by physical security techniques. No longer preferred because of the potential confusion 
between the M S" in the acronym and "S" as in "Software" (which this isn't). [REPLACEMENT 
UNCERTAIN] (ITG, 5/12/95, IT00028302) 

Protected Processing Environment (PPE): The InterTrust protected software environment within the 
InterTrust Commerce Node. The PPE is responsible for the encryption/decryption of data, protected 
processing of DigiBox containers, and other secure operations, such as database access. (ITG, 1 1/17/96 
IT00035871.TO00189J) 


protecting 
683.2 


mtrinsic: 

- VDE can: (a) audit and analyze the use of content, (b) ensure that content is used only in authorized 
ways, and (c) allow information regarding content usage to be used only in ways approved by content 
users.T 193 4:51-56) 

- u An attacker would gain little benefit from intercepting this information since it is transmitted in 
protected form; she would have to compromise electronic appliance 600(1) or 600(N) (or the SPU 
500(1), 500(N)) in order to access this information in unprotected form." ('193 228:25) 

- Even if the object is stored locally to the VDE node, it may be stored as a secure or protected object 
so that it is not directly accessible to a calling process. ('193 192:14-17) 

- (M93 228:25-30); ('193 6:33-35); ('193 15:41-46); ('193 17:22-28) 
Extrinsic: 

Hoffman, Modem Methods for Computer Security & Privacy at 134 

Dictionary of Computing, 3rd Ed. (1990) ("Protected Location: A memory location that can only be 
accessed by an authorized user or process."; "Protected domain: A set of access privileges to protected 
resources.") 

Webster's New World Dictionary of Computer Terms, 4th Ed. (1992) (To prevent unauthorized 
access to programs or a computer system; to shield against harm.") 

The New IEEE Standard Dictionary of Electrical and Electronics Terms, 5th Ed. (1993) ("Protection: 
(1) (computing systems). See: Storage protection (2) (software). An arrangement for restricting 
access to or use of a all, or part, of a computer system." ; "Storage protection: An arrangement for 
preventing access to storage for either reading or writing, or both.") 

IN00862862 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, IT00028295) 
Secrecy: The inability to obtain any information from data. (ITG, 5/12/95, IT00028294) 


record (n.) 
912.8,912.35 


Intrinsic: 

"The selected method event record 1012, in turn, specifies the appropriate information (e.g., load 
modules) 1 100, data element UDE(s) and MDE(s) 1200, 1202, and/or PERC(s) 808) used to construct 
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a component assembly 690 for execution in response to the event that has occurred- ..." ('193 138:12- 
47) 

Extrinsic: 

Record: 1 . In programming languages, an aggregate that consists of data objects, possibly with different 
attributes, that usually have identifiers attached to them. In some programming languages, records are 
call structures. 2. A set of data treated as a unit 3. A set of one or more related data items grouped for 
processing. (IBM) 

Record: 1 . In computing, a collection of related data treated as a unit, e.g. details of name, address, age, 
occupation and department of an employee in a personnel file. 2.. In computing, to store signals on a 
recording medium for later use. (Longley) 

New IEEE Standard Dictionary of Electrical and Electronics Terms (5* ed 1993) 


required 
912.8, 861.58 


Intrinsic: 
See "allow." 
Extrinsic: 


resource 
processed 

891.1 


Intrinsic: 

- ( 4 193 72:39-44); (* 193 75:15-30); (' 193 283:23-28) 

"Smart objects may have the means to request use of one or more services and/or resources. Services 
include locating other services and/or resources such as information resources, language or format 
translation, processing, credit (or additional credit) authorization, etc. Resources include reference 
databases, networks, high powered or specialized computing resources (the smart object may carry 
information to another computer to be efficiently processed and then return the information to the 
sending VDE installation), remote object repositories, etc. Smart objects can make efficient use of 
remote resources (e.g. centralized databases, super computers, etc.) while providing a secure means for 
charging users based on information and/or resources actually used." fl93 38:60-39:8) 

Extrinsic: 

Resource: 1 . Any of the data processing system elements needed to perform required operations, 
including storage, input/output units, one or more processing units, data, files, and programs. 2. Any 
facility of a computing system or operating system required by a job or task, and including main 
storage, input/output devices, processing unit, data sets, and control or processing programs. (IBM) 

Processed: 1. The performance of logical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on. (IBM) 

Process: (1) in computing, the active system entity through which programs run. The entity in a 
computer system to which authorizations are granted; thus the unit of accountability in a computer • 
system. 2. In computing, a program in execution. (4) In 
computing, a program is a static piece of code and a process is the execution of that code. (Longley) 


rule 

861.58, 683.2 


Intrinsic: 

"A system as in claim 17, said memory further storing at least one rule associated with said first 
secure container, said first secure container rule at least in part governing at least one aspect of access 
to or use of said governed item. 

A system as in claim 19, said at least first secure container rule further including a second rule at least 
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in part restricting the number of accesses and/or uses a user may make of said governed item. 
09/221,479('683), Preliminary Amendment, 12/28/99, p. 5 (1T00065690) 

"Claims 7-11, ... are rejected under 35 U.S.C. 103(a) as being unpatentable over Fischer (5,412,717) in 
view of Narasimhalu et al (5,499,298). Fischer discloses a method and apparatus including a system 
monitor which limits the ability of a program about to be executed to the use of predefined resources, 

The set of authorities and restrictions are referred to as "program authorization information* or 
TAT. ... A comparison of independent claim 7 to Fischer to derive the similarities and differences 
between the claimed invention and the prior an follows. ... memory containing a first rule corresponds 
to a first PAI under a first PCB Here, Fischer provides a secure container in the form of a 
program, i.e. a governed item, having an associated PAI, i.e. at least one rule associated with the secure 
container.'* 

09/221,479 0683), Office Action, 1 1/12/99, p. 3-4 (IT00065799-800) 

- In general, VDE enables parries that (a) have rights in electronic information, and/or (b) act as direct 
or indirect agents for parties who have rights in electronic information, to ensure that the moving, 
accessing, modifying, or otherwise using of information can be securely controlled by rules regarding 
how, when, where, and by whom such activities can be performed.. CI 93 6:24-30) 

- "at least one rule and/or control associated with the software agent that governs the agent's 
operation." 0 193 241:2-3) 

"FIG. 4 illustrates examples of some different types of rules and/or control information" ('683 
11:37-38) 

"If necessary, trusted go-between 4700 may obtain and register any methods, rules and/or controls 
it needs to use or manipulate the object 300 and/or its contents (FIG. 122 block 4778)." ('683 47:40- 
45) 

"In this further user interaction provided by object submittal manager 774, the user may specify 
permissions, rules and/or control information to be applied to or associated with the new object 300." 
0193 106:60) 

"at least one rule and/or control associated with the software agent that governs the agent's 
operation." ('193 24 1:2) 

"The usage-related "rules and controls" may, for example, specify what a user can and can't do 
with the content and how much it costs to use the content" 0193 55:46-49) 

"Container 300x is specified as a content object that is empty of content. It contains a control set 
that contains the following rules: 

1. A write withoutjnlling event that specifies a meter and a general budget that limits the 
value of writing to $15.00. 

2. Audits of usage are required and will be stored in object 300w under control information 
specified in that object 

3. An empty use control set that may be filled in by the owner of the information using 
predefined methods (method options)." 0193 243:35-37) 

- "an object creator or other provider can specify within a descriptive data structure 200, certain rules, 
integrity constraints and/or other characteristics that can or should be applied to the object after it has 
been imported into a target rights management environment" ( 4 861 17:49-53) 

f l 683 54-29-37V C193 56:28-35); 0193 53:60-63); 0683 47:40-45) 
Extrinsic: 

Rule: In computing, a statement in an expert system that enables the likelihood of an assertion, or the 
value of an object, to be established. A rule combines lower level assertions or objects to produce a 
value for a higher level assertion or object. (Longley) 

See Business Rule: A specification of the conditions governing how content and controls in DigiBox 
containers may be manipulated. A business rule may specify pricing, terms of use terras, operational j 
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restrictions, payment methods, and other aspects of information use. A rule may also specify 
consequences reiaiea to usage reporting ana payment, ior exaxnpje, spvcuying mat caCD purcnasc of 
content must be reported to its creator. (ITG, 1 1/17/96, IT00035863, TD001 89J) 

"Rules and Controls" means any electronic information that directs, enables, specifies, describes, and/or 
provides contributing means for performing or not-performing, permitted and/or required operations 
related to Content, including, for example, restricting or otherwise governing the performance of 
operations, such as, for example, Management of such Content (License Agreement: IT and Universal 
Music Group, 4/13/99, Exhibit 1 1 to InterTrust 30(bX6)) 

Que at 348; Webster's New World Dictionary of Computer Terms (4th ed.) at 365 


secure 

193.1, 193.11, 
193.15,91235, 
861.58, 891.1, 
683 .2, 72134 


Intrinsic: 

Because this term is indefinite and used inconsistently, each use of "secure" and forms thereof in the 
asserted patents is relevant and herein included by reference. The following examples are illustrative. 

"HPEs 655 may be provided in two types: secure and not secure." ( 4 193 80:8-9) 

"Because secondary storage 652 is not secure, SPE 503 must encrypt and cryptographically seal 
(e.g., using a one-way hash function initialized with a secret value known only inside the SPU 500) 
each swap block before it writes it to secondary storage." (' 193 107:39-42) 

"Insecure external memory may reduce the wait time for swapped pages to be loaded into SPU 
500, but will still incur substantial encryption/decryption penalty for each page." (* 3 93 125:56-59) 

- "The following is a non-exhaustive list of some of the advantageous features provided by ROS 602 
in the preferred embodiment: 

Secure 

secure communications 

secure control functions 

secure virtual memory management 

information control structures protected from exposure 

data elements are validated, correlated and access controlled 

components are encrypted and validated independently 

components are tightly correlated to prevent unauthorized use of elements 

control structures and secured executables are validated prior to use to protect against tampering 

integrates security considerations at the I/O level 

provides on-the-fly decryption of information at release time 

enables a secure commercial transaction network 

flexible key management features" (' 1 93 72:52, 73: 19) 

- "ROS 602 generates component assemblies 690 in a secure matter. As shown graphically, in FIGS. 

1 1 1 and 1 1 J, the different elements comprising a component assembly 690 may be "interlocking" in the 
sense that they can only go together in ways that are intended by the VDE participants who created the 
elements and/or specified the component assemblies. ROS 602 includes security protections that can 
prevent an unauthorized person from modifying elements, and also prevent an unauthorized person 
from substituting elements." (82:60) 

- - "Because of VDE security, including use of effective encryption, authentication , digital signature, 
and secure database structures, the records contain within a VDE card arrangement may be accepted as 
valid transaction records for government and/or corporate recordkeeping requirements." (19:49) 

- "In order to maintain security, SPE 503 must encrypt and cryptographically seal each block being 
swapped out to a storage device external to a supporting SPU 500, and must similarly decrypt, verify 
the cryptographic seal for, and validate each block as it swapped into SPU 500." (123:60) 

- "As mentioned above, memory external to SPU 500 may not be secure. Therefore, when security is 
required, SPU 500 must encrypt secure information before writing it to external memory before using 
it." (69:29) 

- "Only those processes that execute completely within SPEs 503 (and in some cases, HPEs 655) may 
be considered to be truly secure. Memory and other resources external to SPE 503 and HPEs 655 used 
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to store and/or process code and/or data to be used in secure processes should only receive and handle 
that information in encrypted form unless SPE 503/HPE 655 can protect secure process code and/or 
data form non-secure processes." (79:1 1) 

- "From time to time, two parties (e.g., PPEs A and B), will need to establish a communication channel 
that is know by both parties to be secure form eavesdropping, secure from tampering, and to be in use 
solely by the two parties whose identifies are correctly known to each other." (2 1 535) 

- "Since all secure communications are at least in part encrypted and the processing inside the secure 
subsystem is concealed form outside observation and interference, the present invention ensures that 
content control information can be enforced." f 193 46:4-8) 

»193 199:38-47,221:1-21 

See also prior art referenced in the relevant file histories, e.g. Stefik; Tygar et al., "Dyad: A System for 
Using Physically Secure Coprocessors," School of Computer Science, Carnegie Mellon University, 
Pittsburgh, PA 15213 (May 1991). 

Extrinsic: 

"No data system can be made secure without physical protection of some part of the equipment" 
(Davies, p. 3) 9 

"Security is a negative attribute. We judge a system to be secure if we have not been able to design a 
method of misusing it which gives some advantage to the attacker." (Davies, p.4) 

"Various criteria exist for secure systems - U.S. Dept. of Defense Trusted Computer Security 
Evaluation Criteria (TCSEC), the Orange Book, Red Book, European and Canadian guidelines, U.S. 
National Institute of Standards and Technology, and United Kingdom guidelines." (Neumann) 10 

"Security: 1 . Protection against unwanted behavior. In present usage, computer security includes 
properties such as confidentiality, integrity, availability, prevention of denial of service and prevention 
of generalized misuse. 2. The property that a particular security policy is enforced, with some degree 
of assurance. 3. Security is sometimes used in the restricted sense of confidentiality, particularly in the 
case of muhilevel security. Multilevel Security - A confidentiality policy based on the relative ordering 
of multilevel security labels (really multilevel confidentiality, ex. - no adverse flow of information with 
respect to sensitivity of information)" (Neumann, Glossary) 

"There are two principal objectives: secrecy (or privacy), to prevent unauthorized disclosure of data; 
and authenticity or integrity) [sic], to prevent the unauthorized modification of data. ... Note, however, 
that whereas it can be used to detect message modification, it cannot prevent it. Encryption alone does 
not protect against replay, because an opponent could simply replay previous ciphertext" (Denning, 
p.5) 

"A cipher in unconditionally secure i£ no matter how much ciphertext is intercepted, there is not 
enough information in the ciphertext to determine the plaintext uniquely " (Denning, p.5) (Davies, p. 

"A cipher is computationally secure, or strong, if it cannot be broken by systematic analysis with 
available resources." (Denning, p.5) (Davies, p.4 1, 370) 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, IT00028295) 

Secrecy: The inability to obtain any information from data. (ITG, 5/12/95, ITO0028294) 

". . . security includes concealment, integrity of messages, authentication of one communicating party 
by the other. . ." (Neumann, p. 8) 



9 "Davies" herein refers to Davies, D., et al, Security for Computer Networks, 1984. 

10 "Neumann" herein refers to Neumann, P.G., Computer Related Risks, 1995 
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"Computer security rests on confidentiality, integrity, and availability. The interpretations of these three 
aspects vary, as do the contexts in which they arise. 

Confidentiality is the concealment of information or resources. [) Confidentiality also applies to the 
existence of data, which is sometimes more revealing than the data itself. 
0 All mechanisms that enforce confidentiality require supporting services from the system. The 
assumption is that the security services can rely on the kernel, and other agents, to supply correct data. 
Thus, assumptions and trust underlie the confidentiality mechanisms. 

Integrity refers to the trustworthyness of data or resources, and it is usually phrased in terms of 
preventing improper or unauthorized change. Integrity includes data integrity (the content of the 
informationz) and origin integrity (the source of the data, often called authentication). 
Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms. 
Protection mechanisms seek to maintain the integrity of the data by blocking any unauthorized attempts 
to change the data or any attempts to change the data in unauthorized ways. 

Detection mechanisms do not try to prevent violations of integrity; they simple report that the data's 
integrity in no longer trustworthy." (Bishop, p. 4-6) 11 

"Definition 4-1. A security policy is a statement that partitions the states of the system into a set of 

authorized, or secure, states and a set of unauthorized, or nonsecure, states. 

Definition 4-2. A secure system is a system that starts in an authorized state and cannot enter an 

unauthorized state." (Bishop, p. 95) 

**24.5.1 Secure Systems 

Systems designed with security in mind have auditing mechanisms integrated with the system design 
and implementation." (Bishop, p.706) 

"Computer security is assuring the secrecy, integrity, and availability of components of computing 
systems. The three principal pieces of a computing system subject attacks are hardware, software, and 
data. These three pieces, and the communications between them, constitute the basis of computer 
security vulnerabilities. This chapter has identified four kinds of attacks on computing systems: 
interruptions, interceptions, modifications, and fabrications. 

Three principles affect the direction of work in computer security. By the principle of easiest 
penetration, a computing system penetrator will use whatever means of attack is the easiest; therefore. 
All aspects of computing system security need to be considered at once. By principle of timeliness, a 
system needs to be protected against penetration only long enough so that penetration is of no value to 
the penetrator. The principle of effectiveness states that controls must be usable and used in order to 
serve purpose. 

Controls can be applied at the levels of data, programs, the system, physical devices, communications 
links, the environment, and personnel. Sometimes several controls are needed to cover a single 
vulnerability, and sometimes one control addresses several problems at once." (Pfleeger, p.4) 

See also InterTrust's Rule 30(b)(6) testimony and Microsoft PLR 4-2 Exhs. E & F as revised. 
(Examples follow). Webster's New 20* century Dictionary (1947) at 1540-41); Pfleeger at 4-5; 
Spencer, Personal Computer Dictionary at 156; The Computer Glossary at 460; 
McGraw-Hill Dictionary of Scientific and Technical Terms at 17S8; 
Practical Unix Security at 1 1-12 (O'Reilly 1991); 
Bishop, Computer Security (2002) pp. 3-24, 47; 

Hoffrnan, Modern Methods for Computer Security and Privacy at 2, 134-35; 
Mullender, ed., Distributed Systems (Addison Wesley 2d ed.) at 367, 420; 
Landewehr, "Formal Models for Computer Security" (ACM 1981); 
Merkle, "Protocols for Public Key Cryptosystems" (IEEE 1980); 
Cooper, Computer & Communication Security, at 3 83 ; 
Baker, The Computer Security Handbook at 273 ; 
Computer Security Handbook at 389; 

Matheson et al., Robustness and Security of Digital Watermarks; 



""Bishop" herein refers to ""Bishop, M. , Computer Security, Art U 
Science, 2 0 03) . 
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" National Information Systems Security (INFOSEC) Glossary at 49-50; 
Internet Security Glossary (RFC2828); 
Tanenbaum, Modem Operating Systems (1992) at 181-82 

IN64706-45, IN176319-72, IT735936 (integrity), IT735938-9 

IN00862862, ITI678-96, IT39208-26, IT702969-83, IT399877-80 

"Secure. Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user."; "Computer Security. 1 . Concepts, techniques, 
technical measures, and administrative measures used to protect the hardware, software and data of an 
information processing system from deliberate or inadvertent unauthorized acquisition, damage, 
destruction, disclosure, manipulation, modification or use or loss. 2. Protection resulting from the 
application of computer security. " (IBM) 

"Security: Freedom from risk or danger. Safety and assurance of safety"; "secure state - a condition in 
which none of the subjects in a system can access objects in an unauthorized manner. . ."(Russell, 
Computer Security Basics, 1992, pp. 8-1 1, 1 13, 227, 420) 

"Various criteria exist for secure systems - U.S. Dept. of Defense Trusted Computer Security 
Evaluation Criteria (TCSEC), the Orange Book, Red Book, European and Canadian guidelines, U.S. 
National Institute of Standards and Technology, and United Kingdom guidelines." 
The New IEEE Standard Dictionary of Electrical and Electronics Terms, 5th Ed. (1993) at 1 1 81 ('The 
protection of computer hardware and software from accidental or malicious access, use, modification, 
destruction, or disclosure.") 

Dictionary of Computing, 3rd Ed. (1990) at 406 ("Prevention of or protection against (a) access to 
information by unauthorized recipients or (b) intentional but unauthorized destruction or alteration of 
that information:") 

Information Security Dictionary of Concepts, Standards, and Terms (1992) ("The quality or state of 
being cost-effectively protected from undue losses (e.g. loss of goodwill, monetary loss, loss of ability 
to continue operations, etc.)") 


secure container 

912.35, 861.58, 
683.2 


See "secure" and "container" 
Intrinsic: 

- Prosecution History of *861 Patent 

"Anderson [U.S. Patent No. 5,537,526] does not explicitly address a secure container 
per se 9 but does place documents into containers [Fig. 8 202] and place restriction via 
links attached to documents ... which can include restrictions ... Such security tools are 
rightfully attached to a structure encapsulating the document, e.g. its container.*' 
08/805,804 0861), Office Action, 06/25/98, p. 5. MSI 27417-25 

- Prosecution History of '683 Patent: 

"Claims 7-11, ... are rejected under 35 U.S.C. 1 03(a) as being unpatentable overFischer 
(5,412,717) in view of Narasimhalu et al (5,499,298). ... The set of authorities and 
restrictions are referred to as "program authorization information" or "PAI". ... A 
comparison of independent claim 7 to Fischer to derive the similarities and differences 
between the claimed invention and the prior art follows. ... Here, Fischer provides a 
secure container in the form of a program, i.e. a governed item, having an associated 
PAI i e at least one rule associated with the secure container " 
09/221,4790683), Office Action, 1 1/12/99, p. 3-4 (IT00065799-800 in IT65863-65) 

- Prosecution History of Application 08/689,606, filed 12 August 1 996: (issued as USP 5,943,422 
incorporating 1 1 07) Amendment dated 2 July 1 998: 

"1 . (Amended) A rights management method comprising: (a) receiving an information 
signal; (b) steganographically decoding the received information signal to recover digital 
li^fc'rponaoPTnpm mmmt information packaged within at least one secure digital 
container and (c) performing at least one rights management operation based at least in 
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part on the recovered digital rights management control information. Q 
Remarks Q For example, amended Claims 1,15 and 22 each recite a digital secure 
container in combination. Neither Rhoads [USP 5,636,292], nor any of the other applied 
references, teaches or suggests the recited combination of features including any digital 
secure container." 

- Rhoads, USP 5,636,292: 

"FuDy Exact Steganography 

Prior art steganographic methods currently known to the inventor generally involve fully 
deterministic or "exact" prescriptions for passing a message. Another way to say this is 
that it is a basic assumption that for a given message to be passed correctly in its entirety, 
the receiver of the information needs to receive the exact digital data file sent by the 
sender, tolerating no bit errors or "loss" of data. By definition, "lossy" compression and 
decompression on empirical signals defeat such steganographic methods. (Prior art, such 
as the previously noted Komatsu work, are the exceptions here.) 
The principles of this invention can also be utilized as an exact form of steganography 
proper. It is suggested that such exact forms of steganography, whether those of prior art 
or those of this invention, be combined with the relatively recent art of the "digital 
signature" and/or the DSS (digital signature standard) in such a way that a receiver of a 
given empirical data file can first verify that not one single bit of information has been 
altered in the received file, and thus verify that the contained exact steganographic 
message has not been altered. " (55:5-26) 

"One exemplary application is placement of identification recognition units directly 
within modestly priced home audio and video mstrumentation (such as a TV). Such 
recognition units would typically monitor 'audio and/or video looking for these copyright 
identification codes, and thence triggering simple decisions based on the findings, such 
as disabling or enabling recording capabilities, or incrementing program specific billing 
meters which are transmitted back to a central audio/video service provider and placed 
onto monthly invoices." (29:23) 

- "Use of secure electronic containers to transport items provides an unprecedented degree of security, 
trustedness and flexibility " ('683 8:50-52) 

- "Even if the object is stored locally to the VDE node, it may be stored as a secure or protected 
object so that it is not directly accessible to a calling process, ACCESS method 2000 establishes the 
connections, routings, and security requisites needed to access the object" (* 193 192:41-) 

''Electronic delivery person 4060 receives item 4054 in digital form and places it into a secure 
electronic container 302— thus forming a digital "object" 300. A digital object 300 may in this case be, 
for example, as shown in FIGS. 5A and 5B, and may include one or more containers 302 containing 
item 4054. FIG. 88 illustrates secure electronic container 302 as an attach^ case handcuffed to the 
secure delivery person's wrist. Once again, container is shown as a physical thing for purposes of 
illustration onfy-in the example it is preferably electronic rather than physical, and comprises digital 
information having a well-defined structure (see FIG. 5 A). Special mathematical techniques known as 
"cryptography" can be used to make electronic container 302 secure so that only intended recipient 
4056 can open the container and access the electronic document (or other item) 4054 it contains." 
('683 15:56-16:6) 

"Because container 152 can only be opened within a secure protected processing environment 154 
that is Dart of the virtual distribution environment described in the above-referenced G inter et al natpnt 
disclosure" ('712 168:22-25) 

"A VDE content container is an object that contains both content (for example, commercially 
distributed electronic information products such as computer software programs, movies, electronic 
publications or reference materials, etc.) and certain control information related to the use of the 
object's content." CI 93 19:15-21) 

- (M93 82:24-45); ('193 192:36-52); ('683 18:49-56);('861 4:51-64) 
Extrinsic: 

Container: VDE objects are represented in a special form called a container. The container is 
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implemented within the VDE as an object-oriented container class. The container class provides a 
standard method by which applications software may encapsulate and read information stored within 
the object Additionally, the container may include procedural information associated with the data 
being stored Containers may be nested, and share attributes with nested elements. Nested containers 
are stored within a larger container. VDE recognizes the presence of additional objects within the 
content, and allows the nested containers to share, extend or override the attributes of an outer 
container. {VDE ROl DEVICE vl.Oa 9 Feb 1994, IT00008572) 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Container In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Container: A protected (encrypted) storage object that incorporates descriptive information, protected 
content, and (optionally) control objects applicable to that content. (ITG, 3/7/1995, IT00709617, see 
footnote 2) 

Container: A contains protected content y which is divided into one or more atomic elements, and, 
optionally, PERCs governing the content and may be manipulated only as specified by a PERC. (ITG, 
4/6/95, IT00028206, see footnote 5) 

Container: A packaging mechanism, consisting of: *One or more Element-derived components. *An 
organization mechanism which provides a unique name within a flat namespace for each of the 
components in a Container (ITG, 5/12/95, IT00028293) 

Container A protected digital information storage and transport mechanism for packaging content and 
control information. (ITG, 8/2 1/95, IT00032372, TDOO068B) 

"Secure Containers)" means electronic containers) or electronic data arrangements that: (I) use one or 
more cryptographic or other obfuscation techniques to provide protection for at least a portion of the 
Content thereof; and (ii) supports the use of Rules and Controls to enable the Management of Content 
(License Agreement IT and Universal Music Group, 4/13/99, Exhibit 1 1 to IT 30(bX6)) 

A protected digital information storage and transport mechanism for packaging content and control 
information. (IT 691187) 

Secure container A DigiBox container provides security through encryption and the PPE of a 
commerce node. A secure container does not require a secure communications transport mode. (IT 
35965) 

A DigiBox container provides for the persistent protection of its properties. (IT 35920) 
DigiBox containers ensure integrity. (IT 35895) 


secure container 
governed item 

683.2 


Intrinsic: 
Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Container In data security, a multilevel information structure. A container has a classification and may 
contain objects and/or other containers. (Longley) 

Item: 1. An element of a set of data. 2. One unit of a commodity such as one ox, one bag, or one can. 
(IBM) 

Item: In computing, a group of related characters treated as a unit. For example, a record may comprise 
a number of items, that in turn may consist of other items. (Longley) 

Container A protected (encrypted) storage object that incorporates descriptive information, protected 
content, and (optionally) control objects applicable to that content. (ITG, 3/7/95, 1T007096 1 7, see 
footnote 2) 

Container: A packaging mechanism, consisting of: *One or more Element-derived components. *An 
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organization mechanism which provides a unique name within a flat namespace for each of the 
components in a Container QTG, 5/12/95, IT00028293) 

Container A protected digital information storage and transport mechanism for packaging content and 
control information. (TTG, S/21/95, IT00032372, TD00068B) 

Secure Processing Unit: The physically secure hardware component of the SPE: a processor with local 
memory and non-volatile storage. The SPE consists of the SPU itself and the SPE software running on 
the SPU. (ITG, 3/7/95, IT00709620, see footnote 2) 

DigiBox Container: Inter Trust's secure cryptographic data structure for packaging and containing 
contents and controls. A DigiBox container provides for the persistent protection of its content and 
controls through the Protected Processing Environment of XECutor. A DigiBox container eliminates 
the need for a secure communications channel, such as SSL or SHTTP. (TTG, 10/2/96, IT00035893, 
TO00189F) 

DigiBox Container A format for protected storage and transport of digital content and business rules. 
The DigiBox container uses cryptography to ensure that the information h holds is protected and can 
only be manipulated by InterTrust Commerce Nodes. (ITG, 1 1/17/96, IT00035866, TDO0189J) 


secure database 

193.1, 193.11, 
193.15 


Intrinsic: 

- See * 193, Figures 7, 10. 

- "FIG. 36 shows an example of how a new record or element may be inserted into a secure database 
610. The load process 1070 shown in FIG. 35 checks each data element or item as h is loaded to ensure 
that it has not been tampered with, replaced or substituted. In the process 1070 shown in FIG. 35, the 
first step that is performed is to check to see if the current user of electronic appliance 600 is 
authorized to insert the item into secure database 610 (block 1072)... The non-secure element within its 
security wrapper may then be stored within secure databases 610." 

- "The keys to decrypt secure database 610 records are, in the preferred embodiment, maintained 
solely within the protected memory of an SPU 500." 

- "By using this process, SPE 503 can protect the data structure (including the indexes) of secure 
databases 610 against substitutions of old items and against substitution of indexes for current items." 

- "The security of secure databases 610 files may be further unproved by segmenting the records into 
"compartments." Different encryption/decryption keys may be used to protect different 
"compartment" This strategy can be used to limit the amount of information within secure database 
310 that is encrypted with a single key/ Another technique for increasing secure database 610 may be 
to encrypt different portions of the same records with different keys so that more than one key may 
needed to decrypt these records." 

- "Each electronic appliance 600 may have an instance of secure database 610 that securely maintains 
the VDE items. FIG. 16 shows one example of a secure database 610. 

- "VDE Secure Database 610: VDE 100 stores separately deliverable VDE elements in a secure (e.g., 
encrypted) database 610 distributed to each VDE electronic appliance 61 0. The database 610 in the 
preferred embodiment may store and/or manage three basic classes of VDE items: VDE objects, VDE 
process elements, and VDE data structures." 

- "Secure Database Keys: PPE 650 preferably generates these secure database keys and never exposes 
the outside of the PPE. They are site-specific in the preferred embodiment, and may be "aged" as 
described above. As described above, each time an updated record is written to secure database 610, a 
new key may be used and kept in a key list within the PPE." (212:36) 

- "Secure database encryption keys in the preferred embodiment are frequently changing and are also 
site specific "(21 9:30) ** ■ 

- (M 93 79:24); ('193 7 1:28-40); ('193 111:59-67) 
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Extrinsic: 

Secure store: The Secure store is the system area that provides an encrypted storage method for storing 
ROI interna] files and other highly secure information. In some applications, entire media volumes can 
be distributed encrypted as part of the secure store to enhance overall security for the content by 
obscuring the file system and media descriptors associated with the volume. A dedicated volume or 
partition will only be required if an application cannot be supported without it (e.g. a required 
government security level for the specific application). In most cases, the user will not be required to 
dedicate an entire volume or partition of the hard disk, and the secure store will be supported using an 
encrypted file, or files, on the hard disk. ROI will also support a dedicated partition as an option to the 
administrator of a network server, as one of several ways to assure the integrity of the system. (VDE 
ROI DEVICE vl.Oa 9 Feb 1994, IT00008586) 

Database: I. A collection of data with a given structure for accepting, storing, and providing, on 
demand, data for multiple users. 2. A collection of interrelated data 
organized according to a database schema to serve one or more applications. 3. A collection of data 
fundamental to a system. 4. A collection of data fundamental to an enterprise.(IBM) 

Database: 1. An extensive and comprehensive set of records collected and organized in a meaningful 
manner to serve a particular purpose. 2. In computing, a collection of stored operational data used by 
the applications system of an enterprise. (Longley) 

"The basic security requirements of data base systems are not unlike the security requirements of other 
computing systems we have studied. The basic problem-access control, exclusion of spurious data, 
authentication of users, reliability-have appeared in many context so far in this book. Following is a list 
of requirements for security of data base systems. 

Physical data base integrity, so that the data of a data base is immune to physical 
problems, such as power failures, and so that it is possible to reconstruct that data base if 
it is destroyed through a catastrophe. 

Logical data base integrity, so that the structure of the data base is preserved. With 
logical integrity of a data base, a modification to the value of one field does not affect 
other field, for example. 

Element integrity, so mat the data contained in each element is accurate. 

Auditability, to be able to track who has accessed (or modified) the elements in the data 

base. 

Access control, so that a user is allowed to access only authorized data and so that 
different user can be restricted to different modes of access (for example, read or write). 
User authentication, to be sure that every user is positively identified, both for audit trail 
and for permission to access data. 

Availability, meaning that users can access the data base in genera] and all the data for 
which they are authorized." (Pfleeger) 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, IT00028295) 
Secrecy: The inability to obtain any information from data. (ITG, 5/12/95, IT00028294) 


secure execution 
space 

721.34 


Intrinsic: 

- Prosecution History of *72 1 Patent : 

"execution spaces" "refers to a resource which can be used for execution of a program or process." 
Amendment 

- "Protected execution spaces such as protected processing environments can be programmed or 
otherwise conditioned to accept only those load modules or other executables bearing a digital 
signature/certificate of an accredited (or particular) verifying authority. Tamper resistant barriers may 
be used to protect this programming or other conditioning. The assurance levels described below are a 
measure or assessment of the effectiveness with which this programming or other conditioning is 
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protected." 

- ("721 3:16-23) 

- "A protected processing environment or other secure execution space protects itself by executing 
only those load modules or other executables that have been digitally signed for its corresponding 
assurance leveL" 

- "Different protected processing environments (secure execution spaces) might examine different 
subsets of the multiple digital signatures-so that compromising one protected processing environment 
(secure execution space) will not compromise all of them." 

- "The internal ROM 532 and RAM 534 within SPU 500 provide a secure operating environment and 
execution space." CI 93 69:33-35) 

- SPU 500 general purpose RAM 534 provides, among other things, secure execution space for secure 
processes. (193 70:43-44) 

"Virtual memory manager 580 provides a fuDy "virtual" memory system to increase the amount of 
"virtual" RAM available in the SPE secure execution space beyond the amount of physical RAM 534a 
provided by SPU 500." ('193 109:24-45) 

Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Execution: The process of carrying out an instruction or instructions of a computer program by a 
computer. (IBM) 

Space: 1. A site intended for storage of data. 2. A basic unit of area, usually the si2e of a singe 
character. 8. To cause a printer to move the paper a specified number of lines either before or after it 
prints a line. (IBM) 


secure memory, 
memory 

193.1, 193.11, 
193.15 


Intrinsic: 

- "Because secondary storage 652 is not secure, SPE 503 must encrypt and cryptographically seal 
(e.g., using a one-way hash function initialized with a secret value known only inside the SPU 500) 
each swap block before it writes ft to secondary storage." (* 193 1 07:39-46) 

- "Due to the practical limits on the amount of ROM 532 and RAM 534 that may be included within 
SPU 500, SPU 500 may store information in memory external to it, and move this information into and 
out of its secure internal memory space on an as needed basis." (' 193 1 8: 14- 19); 

- "Such external memory may be used to store SPU programs, data and/or other information. For 
example, a VDE control program may be, at least in part, loaded into the memory and communicated 
to and decrypted within SPU 500 prior to execution. Such control programs may be re-encrypted and 
communicated back to external memory where they may be stored for later execution by SPU 500. 
"Kernel" programs and/or some or all of the non-kernel "load modules" may be stored by SPU 500 in 
memory external to it Since a secure database 610 may be relatively large, SPU 500 can store some or 
all of secure database 610 in external memory and call portions into the SPU 500 as needed. As 
mentioned above, memory external to SPU 500 may not be secure. Therefore, when security is 
required, SPU 500 must encrypt secure information before writing it to external memory, and decrypt 
secure information read from external memory before using it Inasmuch as the encryption layer relies 
on secure processes and information (e.g., encryption algorithms and keys) present within SPU 500, 
the encryption layer effectively "extends" the SPU security barrier 502 to protect information the SPU 
500 stores in memory external to h ." ( 4 193 71:19-40) 

- "Key and Tag Manager 558 also provides services relating to tag generation and management In the 
preferred embodiment, transaction and access tags are preferably stored by SPE 503 (HPE 655) in 
protected memory (e.g., within the NVRAM 534b of SPU 500). These tags may be generated by key 
and tag manager 558. They are used to, for example, check access rights to, validate and correlate data 
elements. For example, they may be used to ensure components of the secured data structures are not 
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tampered with outside of the SPU 500." ('193 120:59-121:3) 

- "The degree of overall security of the VDE system is primarily dependent on the degree of tamper 
resistance and concealment of VDE control process execution and related data storage activities. 
Employing special purpose semiconductor packaging techniques can significantly contribute to the 
degree of security. Concealment and tamper-resistance in semiconductor memory (e.g., RAM, ROM, 
NVRAM) can be achieved, in part, by employing such memory within an SPU package, by encrypting 
data before it is sent to external memory (such as an external RAM package) and decrypting encrypted 
data within the CPU/RAM package before it is executed. This process is used for important VDE 
related data when such data is stored on unprotected media, for example, standard host storage, such as 
random access memory, mass storage, etc." ('193 21:26-40) 

'"Secondary storage 662 may comprise the same one or more non-secure secondary storage 
devices (such as a magnetic disk and a CD-ROM drive as one example) that electronic appliance 600 
uses for general secondary storage functions. In some implementations, part or all of secondary storage 
652 may comprise a secondary storage device(s) that is physically enclosed within a secure enclosure. 
However, since it may not be practical or cost-effective to physically secure secondary storage 652 in 
many implementations, secondary storage 652 may be used to store information in a secure manner by 
encrypting information before storing it in secondary storage 652. If information is encrypted before it 
is stored, physical access to secondary storage 652 or its contents does not readily reveal or 
compromise the information.'* (* 193 62:43-58) 

/mo-j <;o-An-Afi-7V ( % 107 £Q-47_48Y ( l \ fl93 59-48-59V T193 63*60-64*5)' r* 193 
69:6-11); ( 4 193 69:27-32); ('193 69:39-43); (M93 71:32-35); ('193 71:42-47); (*193 78:16-17); (M93 
120:37-41) 

Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Memory: All of the addressable storage space in a processing unit and other internal storages that is 
used to execute instructions.(IBM) 


secure operating 
environment, 
said operating 
environment 

891.1 


mtrinsic: 

- VDE provides a secure operating environment employing VDE foundation elements along with 
secure independently deliverable VDE components that enable electronic commerce models and 
relationships to develop." ('193 13:37-41) 

- "The internal ROM 532 and RAM 534 within SPU 500 provide a secure operating environment and 
execution space." (67:29) 

- (M93 34:26-49); (*193 72:52-73:37); ('193 77:30-44) 
Extrinsic: 

Execution environment: Some load modules contain code that executes in a ROI device. Some load 
modules will contain' code that executes in the user's platform microprocessor. This allows methods to 
be constructed that execute in whichever environment is appropriate. For example an information 
method could be built to execute only in ROI secure space for government classes of security, or in the 
user's platform microprocessor for virtually all commercial applications. The public header of the load 
module will contain a field that indicates where it needs to execute. This functionality also allows for 
different ROI devices as well as different user platforms and allows methods to be constructed for 
either. It should be noted that load modules that execute outside of an ROI device are deemed insecure 
by the VDE Architecture and secure processes should not be implemented using load modules that 
execute outside of an ROI device. (VDE ROI DEVICE v 1.0a, 9 Feb 1994, IT00008592) 

"Saitzer [SAL74] and Saltzer and Schroeder [SAL75] listed the following principles of the design of 
secure protection systems. 

Least privilege: Each user and each program should operate using the fewest privileges 
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possible. In this way, the damage from an inadvertent or malicious attack is minimized. 
Economy of mechanism: The design of the protection system should be small, simple 
and straightforward Such a protection can be exhaustively tested, perhaps verified, and 
trusted 

Open design: The protection mechanism must not depend on the ignorance of potential 
attackers; the mechanism should be public, depending on secrecy of relatively few key 
items, such as a password table. An open design is also available for extensive public 
scrutiny. 

Complete mediation: Every access must be checked 

Permission-based: The default condition should be denial of access. A conservative 
designer identifies those items that should be accessible, rather than those that should not. 
Separation of privilege: Ideally, access to objects should depend on more than one 
condition, such as user authentication plus a cryptographic key. In this way, someone 
who defeats one protection system will not have complete access. 
Least common mechanism: Shared objects provide potential channels for information 
flow. Systems employing physical or logical separation reduce the risk from sharing. 
Easy to use: If a mechanism is easy to use, it is unlikely to be avoided" 
(Pfleeger section 7.2) 

Environment: See InterTrust node: A computer that is enabled for processing of DigEBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(JTG, 8/21/95, IT00032375, TD00068B) 


securely applying 
891.1 


Intrinsic: 
Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Applying: 1. In joumaling, to place after-images of records into a physical file member. The after- 
images are recorded as entries in a journal. 2. An SMP process that moves distributed code and MVS- 
type programs to the system libraries. (IBM) 


securely 
assembling 

912.8,91235 


Intrinsic: 

- (M93 87:33-40) 

"ROS 602 also provides a tagging and sequencing scheme that may be used within the loadable 
component assemblies 690 to detect tampering by substitution. ('193 87:41-62) 

"ROS 602 generates component assemblies 690 in a secure manner. As shown graphically in 
FIGS. 1 11 and 1 1J, the different elements comprising a component assembly 690 may be 
"interlocking" in the sense that they can only go together in ways that are intended by the VDE 
' participants who created the elements and/or specified the component assemblies. ROS 602 includes 
security protections that can prevent an unauthorized person from modifying elements, and also 
prevent an unauthorized person from substituting elements." ('193 84:60-85:2) 

"ROS 602 assembles these elements together into an executable component assembly 690 prior to 
loading and executing the component assembly (e.g., in a secure operating environment such as SPE 
503 and/or HPE 655). ROS 602 provides an element identification and referencing mechanism that 
includes information necessary to automatically assemble elements into a component assembly 690 in 
a secure manner prior to, and/or during, execution." ( € 193 83:44-52) 

- ('107 page 782 claim 80); (M 93 1 16:25-35); ( 4 193 116:29-33) 

Extrinsic: 

Secure: Pertaining to. the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 
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securely 
processing 

891.1 


Intrinsic: 

- "VDE can satisfy the requirements of widely differing electronic commerce and data security 
applications by, in part, employing this general purpose transaction management foundation to securely 
process VDE transaction related control methods." (' 1 93 25:52-57) 

- "For example, they [HPE and SPE] may each perform secure processing based on one or more VDE 
component assemblies 690, and they may each offer secure processing services to OS kernel 680." 
(*193 79:43-46) 

- M VDE methods 1 000 are designed to provide a very flexible and highly modular approach to secure 
processing" ('193 1 81 :1 8-19) 

- "In these cases, secure processing steps performed by an SPU typically must be segmented into 
small, securely packaged elements that may be "paged in" and "paged out" of the limited available 
internal memory space." (67:39) 

- ('193 21:43-22:31); (M93 109:24-45); ('193 139:28-31); ('683 24:26-33) 

- Load modules are not necessarily directly governed by PERCs 808 that control them, nor must they 
contain any time/date information or expiration dates. The only control consideration is the preferred 
embodiment is that one or more methods 1000 reference them using a correlation tag (the value of a 
protected object created by the load module's owner, distributed to authorized parties for inclusion in 
their methods, and to which access and use is controlled by one or more PERCs 808). If a method core 
1000' references a load module 1 100 and asserts the proper correlation tag (and the load module 
satisfies the internal tamper checks for the SPE 503), then the load module can be loaded and executed, 
or it can be acquired from, shipped to, updated, or deleted by, other systems. 

- ROS 602 also provides a tagging and sequencing scheme that may be used within loadable 
component assemblies 690to detect tampering by substitution. Each element comprising a component 
assembly 690 may be loaded into a SPU 500, decrypted using encrypt/decrypt engine 522, and then 
tested/compared to ensure that the proper element has been loaded. . ..In addition, a 
validation/correlation tag stored under the encrypted layer of the loadable element may be compared to 
make sure it matches on or more tags provided by a requesting process. This prevents unauthorized use 
of information. As a third protection, a device assigned tag (e.g., a sequence number) stored under an 
encryption layer of loadable element may be checked to make sure h matches a corresponding tag value 
expected by SPU 500. This prevents substitution of older elements. Validation/correlation tags are 
typically passed only in secure wrappers to prevent plaintext exposure of this information outside of 
SPU 500.. 

- Key and Tag Manager 558 also provides service relating to tag generation and management In the 
preferred embodiment, transaction and access tags are preferably stored by SPE 503 (HPE 665) in 
protected memory (e.g., within the NVRAM 534b of SPU 500). These tags may be generated by key 
and tag manager 558. They are used to, for example, check access rights to, validate and correlate data 
elements. For example, they may be used to ensure components of the secured data structures are not 
tampered with outside of the SPU 500. 

- Initiation of load module execution in this environment is strictly controlled by a combination of 
access tags, validation tags, encryption keys, digital signatures, and/or correlation tags. Thus, a load 
module 1 100 may only be referenced if the caller knows it ID and asserts the shared secret correlation 
tag specific to that load module. The decrypting SPU may match the identification token an and local 
access tag of a load module after decryption. These techniques make the physical replacement of any 
load module 1 100 detectable at the next physical access of a load module. 

- Meters and budgets are common examples of this. Expiration dates cannot be used effectively to 
prevent substitution of the previous copy of a budget UDE 1 200. To secure these frequently updated 
items, a transaction tag is generated and included in the encrypted item each time that item is updated. 
A list of all VDE items Ids and the current transaction tags for each item is maintained as part of the 
secure, database 610. 

UDEs 1200 are preferably encrypted using a site specific key once they are loaded into a site. This site- 
specific key marks a validation tag that may be derived from a cryptograph ically strong pseudo-random 
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sequence by the SPE 503 and updated each time the record is written back to the secure database 610. 
This technique provided reasonable assurance that the UDE 1200 has not been tampered with nor 
submitted when it is requested by the system for the next use. 

Extrinsic: . 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Process: 1. The performance of logical operations and calculations on datum including temporary 
retention of data in processor storage while the data is being operated on. (IBM) 

Process: Process: (1) in computing, the active system entity through which programs run. The entity in 
a computer system to which authorizations are granted; thus the unit of accountability in a computer 

system. (2) In computing, a program in execution (4) In computing, a program is a static piece of 

code and a process is the execution of that code. (Longley) 

Processing: In legislation, as defined by the U.K. Data Protection Act o f 1984, pertaining to the 
amending, augmenting, deleting, or re-arranging of the data or extracting the information constituting 
the data and , in the case of personal data, processing means performing any of the abovementioned 
operations by reference to the data subject. (Longley) 


securely 
receiving 

891.1 


Intrinsic: 

Prosecution History of Application 08/388,107: "Johnson's user database is not securely delivered, but 
rather is created at the license server by-and is under the control of-the site administrator.*' 

08/388,107, Amendment, 06/20/97, p. 23 (MS1028847) 

"[Applicants* independent claims ... require secure delivery of both first and second control items 
originating from someplace other than the appliance where they are used, at least in part, for controlling 
the same process, operation or the like. This feature in combination is not taught or suggested by 
Johnson and/or Rosen " 
(pg-23) 

"Johnson's user database is not securely delivered, but rather is created at the license server by-and is 

under the control of-the site administrator" 

(pg-23) 

"Rosen does not disclose or suggest securely delivering controls of plural different entities and/or 
appliances from at least one source remote to the receiving site or appliance as recited in applicants' 
independent claims Rosen's is distinguishable at least because Rosen's merchant trusted agent 
(MTA) and customer trusted agent (CTA) are loaded into different appliances and operate in different 
appliances. ... Furthermore, such loading operation is performed at Rosen's physically secure device 
manufacturing site - not from at least one source remote to the device." 
(pg. 23-24) 

08/388,107, Amendment, 06/20/97, p. 23, 23, 24 (MSI028847-48) 

- "Secure communications means employing authentication, digital signaturing, and encrypted 
transmissions "( 4 193 12:5-35, 12:33) 

- The appliance 600 may then open the secure electronic container ("attache case") 302 and deliver 
the item it contains to recipient 4056 (FIG. 91B, block 4092D). ('683 ) 

- "FIGS. 1 14A-1 18 show example processes for securely receiving an item" ('683 14:64-65) 

- "By way of non-exhaustive summary, these present inventions provide a highly secure and trusted 
item delivery and agreement execution services providing the following features and functions:" 
('683 :6) 

- "When encrypted or otherwise secured information is delivered into a user's secure VDE processing 
area (e.g., PPE 650), a portion of this information can be used as a "tag" that is first decrypted or 
otherwise unsecured and then compared to an expected value to confirm that the information represents 
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expected information. The tag thus can be used as a portion of process confirming the identity and 
correctness of received, VDE protected, information." (214:17) 

Tor objects in which maintaining security is particularly important, the permission records 808 
and key blocks 810 will frequently be distributed electronically, using secure communications 
techniques (discussed below) that are controlled by the VDE nodes of the sender and receiver." (' 193 
129:8-13) 

"Creator B . . . may accept such a [new control] model if information associated with the one or 
more meter methods that record the number of bytes decrypted by users is securely packaged by 
distributor B's VDE secure subsystem and is securely, employing VDE communications techniques, 
sent to creator B in addition to distributor A n (*193 307:46-51) 

- ('193 209:27-30); ('193 29:64-30:4); (M93 36:29-33); ('193 45:39^5); ('193 153:53-67); ('193 
293:4-7); ('683 15:67-16:4) 

Extrinsic: 

Secure: Pertaining to the control of who can use an object and to the extent to which the object can be 
used by controlling the authority given to the user. (IBM) 

Receiving: 1. To obtain and store data.(IBM) 

Secure Processing Unit: The physically secure hardware component of the SPE: a processor with local 
memory and non-volatile storage. The SPE consists of the SPU itself and the SPE software running on 
the SPU. (ITG, 3/7/1995, IT00709620, see footnote 2) 


security level, 
level of security 

721.1; 72134, 
912.8 


Intrinsic: 

- ('1 93 21:26-31); ('193 45:52-59), but only as to 912.8. 

- Tor example, protected processing environments or other secure execution spaces that are more 
impervious to tampering (such as those providing a higher degree of physical security) may use an 
assurance level that isolates it from protected processing environments or other secure execution spaces 
that are relatively more susceptible to tampering (such as those constructed solely by software 
executing on a general purpose digital computer in a non-secure location)." 

- The present invention may use a verifying authority and the digital signatures it provides to 
compartmentalize the different electronic appliances depending on their level of security (e.g., work 
factor or relative tamper resistance).'' 

- "Assurance level I might be used for an electronic appliance(s) 61 whose protected processing 
environment 108 is based on software techniques that may be somewhat resistant to tampering. An 
example of an assurance level I electronic appliance 61 A might be a general purpose personal computer 
that executes software to create protected processing environment 108. An assurance level II electronic 
appliance 61 B may provide a protected processing environment 108 based on a hybrid of software 
security techniques and hardware-based security techniques. An example of an assurance level II 
electronic appliance 61B might be a general purpose personal computer equipped with a hardware 
integrated circuit secure processing unit ("SPU") that performs some secure processing outside of the 
SPU (see Ginter et al. patent disclosure FIG. 10 and associated text). Such a hybrid arrangement might 
be relatively more resistant to tampering than a software-only implementation. The assurance level III 
appliance 61 C shown is a general purpose personal computer equipped with a hardware- based secure 
processing unit 132 providing ana completely containing protectea processing cuvuulujjcjii iuo 
Ginter et al. FIGS. 6 and 9 for example). A silicon-based special purpose integrated circuit security chip 
is relatively more tamper-resistant than implementations relying on software techniques for some or all 
of their tamper-resistance." ("721 ) 

- "Assurance level in this example may be assigned to a particular protected processing environment 
108 at initialization (e.g., at the factory in the case of hardware-based secure processing units). 
Assigning assurance level at initialization time facilitates the use of key management (e.g., secure key 
exchange protocols) to enforce isolation based on assurance level. For example, since establishment of 
assurance level is done at initialization time, rather than in the field in this example, the key exchange 
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mechanism can be used to provide new keys (assuming an assurance level has been established 
correctly)/ ('721 _) 

- "The assurance level m appliance 61C shown is a general purpose personal computer equipped with 
a hardware-based secure processing unit 132 providing and completely containing protected processing 
environment 108 (see Ginter et al. FIGS. 6 and 9 for example). A silicon-based special purpose 
integrated circuit security chip is relatively more tamper-resistant than implementations relying on 
software techniques for some or all of their tamper-resistance." 

- "Protected execution spaces such as protected processing environments can be programmed or 
otherwise conditioned to accept only those load modules or other executables bearing a digital ; 
signature/certificate of an accredited (or particular) verifying authority. Tamper resistant barriers may 

be used to protect this programming or other conditioning. The assurance levels described below are a 
measure or assessment of the effectiveness with which this programming or other conditioning is 
protected." 

- SN: 08/689,754: Amendment 

- Claims 9 and 30 cancelled. 

- Claims 1-2, 5-6, 10-15, 17-23, 26-27, 31-32, 34, 36, 38-43 amended. Some terms changed (e.g. 
work factor = security level); points in part to * 107 spec'n (and in part to specific portions of '754 app.) 
to support defmiteness of challenged claim terms; "execution spaces" "refers to a resource which can 
be used for execution of a program or process." (14)); 

- M ln accordance with this feature of the invention, verifying authority 100 supports all of these 
various categories of digital signatures, and system 50 uses key management to distribute the 
appropriate verification keys to different assurance level devices. For example, verifying authority 1 00 
may digitally sign a particular load module 54 such that only hardware-only based servers) 402(3) at 
assurance level XI may authenticate it. This compartmentalization prevents any load module executable 
on hardware-only servers 402(3) from executing on any other assurance level appliance (for example, 
software- only protected processing environment based support service 404(1))." (1 9:1 1) 

- "VDE, in its preferred embodiment, uses special purpose tamper resistant Secure Processing Units 
(SPUs) to help provide a high level of security for VDE processes and information storage and 
communicauon." (M93 4:3-7) 

- 0193 29:24-28); (M93 49:59-62); ('193 201:51-55); (*193 203:58-67); (*193 212:66-213:15) 

"In order to allow, in the preferred embodiment, the ability to differentiate installations with 
different levels/degrees of trustedness/security, different certification key pairs may be used (e.g., 
different certification keys may be used to certify SPEs 503 then are used to certify HPEs 655)." 
(210:36) 

"security level. To protect digital works against unauthorized uses, repositories need different 
degrees of physical security. Repositories handling extremely valuable works need greater 
security than ones for ordinary and portable use. The term security level refers to a sequence of 
levels ranging from low security to very high security." 

"Letting Loose the Light: Igniting Commerce in Electronic Publication," Stefik, draft 1994, 1995 

(MSI028761) 

"Security level: Different degrees of physical security - ranging from low security to very high 
security - for protecting digital works against unauthorized use. Repositories for handling 
extremely valuable works need greater security than those for ordinary and portable use." 

"Letting Loose the Light: Igniting Commerce in Electronic Publication," Stefik, in Internet Dreams, 

MIT 1996 (MS1028785) 

Prosecution History of '721 Patent: 

"please amend the application identified above as follows: 

IN THE CLAIMS 

Please cancel claims ... and amend claims 1, ... as follows: 
1. [Amended] A security method comprising: 

(a) digitally signing a first load module with a first digital signature designating the first load 
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module for use by a first device class; 

(b) digitally signing a second load module with a second digital signature different from the first 
digital signature, the second digital signature designating the second load module for use by a second 
device class having at least one of tamper resistance andf/orl security level fwork factor substantially] 
different from the at least one of tamper resistance and/forl security level Twork factor] of the fim 
device class; 

(c) distributing the first load module for use by at least one device in the first device class; and 

(d) distributing the second load module for use by at least one device in the second device class ym 
(Pg- 1-2) 

"36. f Amended] A protected processing environment comprising: 

a first tamper resistant barrier having a first security level fwork factor!, 

a first secure execution space, and 


at least one arrangement within the first tamper resistant barrier that prevents the first secure execution 
space from executing the same executable accessed by a second ffurther] secure execution space havino 
a second [further] tamper resistant barrier with a second ffurther] security level fwork factor 
substantially] different from the first security level fwork factor!." 
(pg. 10) 

"In the pending Office Action, the Examiner rejected claims 1-43 under 35 U.S.C. 1 12, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter 
of the invention. By this Amendment, Applicants have canceled claims ... and amended other claims 

to more appropriately define the present invention In response to the Examiner's rejection, 

Applicants also have amended Claims 1-2, ... 36, ... to address issues raised by the Examiner " 
(pg- 13) 

08/689,754 ( 4 721), Amendment, 04/14/99, 1-2, 10, 13 
Extrinsic: 

Security: The quality or state of being cost-effectively protected from undue losses (e.g. loss of 
goodwill, monetary loss, loss of ability to continue operarions, etc.) (Longley) 

Level: 1. The degree of subordination of an item in a hierarchic arrangement 3. The version of a 
program. (IBM) 

Level: 1. In computer security, see security level and integrity level. (Longley) 

Security level: In computer security, the combination of hierarchical classification and a set of non- 
hierarchical categories that represent the sensitivity of information. (Longley) 

Integrity level: In access control, a level of trustworthiness associated with a subject or object 
(Longley) 

Security: The combination of integrity and secrecy, applied to data. (ITG, 5/12/95, 1T0O028295) 
Secrecy: The inability to obtain any information from data. 0TG, 5/12/95, IT00028294) 


tamper resistance 

721.1,721.34, 
900.155 


Intrinsic: 

"The level of security and tamper resistance required for trusted SPU hardware processes depends on 
the commercial requirements of particular markets or market niches, and may vary widely " ('193 
49:59-62) 

Extrinsic: 

Tamper-resistant Module: In data security, a device in which sensitive information, such as a master 
cryptographic key, is stored and cryptographic functions are performed. The device has one or more 
sensors to detect physical attacks, by an adversary trying to gain access to the stored information in 
which case the stored sensitive data is immediately destroyed. (Longley) 

Information Security Dictionary of Concepts, Standards, and Terms (1992) ("Tamper-resistant Module: 
In data security, a device in which sensitive information, such as a master cryptographic key, is stored 
and cryptographic functions are performed. The device has one or more sensors to detect physical 
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attacks, by an adversary trying to gain access to the stored information in which case the stored 
sensitive data is immediately destroyed-* 7 ) 

IT4 1 530-49, ITS 1 3 47-60 

Neumann, Computer Related Risks (1995) at 349 


Tamper resistant 
barrier 

721.34 


Intrinsic: 

"In addition, Applicants would like to draw the Examiner's attention to other sections of the 
specification in support of words or phrases cited by the Examiner as "indefinite. " ... In claims ... 36 
... the term "barrier" is used as part of the phrase "tamper resistant barrier." This phrase is described in 
the specification on at least pages 7-8 and 46. In addition, the incorporated G inter application describes 
tamper resistant barriers in a number of locations such as, for example, page 201 . n 
(pg. 13-14) (pages 7 and 46 of the original specification are 721 2:62-3:13 and 16:35-54 of the issued 
patent; page 201 of Ginter application SN 08/388,107 is '193 80:40-81 :1) 

08/689,754 ('721), Amendment, 04/14/99, p. 14 

- SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security 
barrier 502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes within the secure environment 503 from being observed, interfered with and leaving except 
under appropriate secure conditions." ('193 59:48-53) 

- "Although block 1262 includes encrypted summary services information on the back up, it 
preferably does not include SPU device private keys, shared keys, SPU code and other internal security 
information to prevent this information from ever becoming available to users even in encrypted form." 
CI 93 166:59-64) 

"Briefly, the preferred example software-based PPE 650 installation process provides the following 
security techniques: encrypted software distribution, installation customized on a unique instance 
and/or electronic appliance basis, encrypted on-disk form, installation tied to payment method, unique 
software and data layout, and identifiable copies " (236:32) 

M (c) if the load module has an associate digital signature , authenticating the digital signature at 
least one public key secured behind a tamper resistant barrier and therefore hidden from the user." 
(•721.9) 

"A further attack technique might involve duplicating one installed operational material 3472 
instance by coping the programs and data from one personal computer 3372B to another personal 
computer 3372C or emulator (see FIG. 67B, block 3364, and the "copy" arrow 3364A in FIG. 67A). 
The duplicated PPE instance could be used in a variety of ways, such as, for example, to place an 
imposter PPE 650 instance on-line and/or to permit further dynamic analysis." ('900 233:8-15) 

"Various software protection techniques detailed above in connection with FIG. 1 0 may provide 
software-based tamper resistant barrier 674 within a software-only and/or hybrid software/hardware 
protected processing environment 650. The following is an elaboration on those above-described 
techniques. These software protection techniques may provide, for example, the following: An on-line 
registration process that results in the creation of a shared secret between the registry and the PPE 650 
instance — used by the registry to create content and transactions that are meaningful only to specific 
PPE instance. An installation program (that may be distinct from the PPE operational material 
software) that creates a customized installation of the PPE software unique to each PPE instance and/or 
associate electronic appliance 600. Camouflage protections that make it difficult to reverse engineer 
the PPE 650 operational material during PPE 650 operation. Integrity checks performed during PPE 
650 operation (e.g., during on-line interactions with trusted servers) to detect compromise. In general, 
the software-based tamper resistant barrier 674 may establish "trust" primarily through uniqueness and 
complexity." ('900 235:30-57)- 

- ('900 243:3-9); ('193 80:40-65, Fig. 10); ('900 230:6 3-65); ('900 233:24-33); ('900 235:30-56); 
('900 236:9-15) 
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Extrinsic: 

Tamper-resistant Module: In data security, a device in which sensitive intottioo, such as a master 
cryptographic key, is stored and cryptographic functions are performed. The device has one or more 
sensorTto detect physical attacks, by an adversary trying to gain access to the stored information in 
which case the stored sensitive data is immediately cestroyea. yuju^y) 
"The "tamper-resistant module" is physically strong and destroys secrets when opened, and the 
software running inside has been checked for integrity;" (Davies) 

"TT>e host computer is provided with a specially, physically secure module containing all the secret 
information which must be protected. In the IBM papers it is called the Cryptographic Facility : we 
shall call it a Tamper Resistant Module' (TRM)." (Davies) 


tamper resistant 
software 

900.155 


Intrinsic: 

"Operational materials 3472 may then decrypt the next program segment dynamically This 
mechanism increases the tamper-resistance of the executable code-thus providing additional tamper 
resistance for PPE operations." (*900 243:3-8) 

Extrinsic: 

Tamper-resistant Module: In data security, a device in which sensitive information, such as a master 
cryptographic key, is stored and cryptographic functions are performed. The device has one or more 
sensors to detect physical attacks, by an adversary trying to gain access to the stored information in 
which case the stored sensitive data is immediately destroyed. (Longley) 

"Tamper resistant software resists observation and modification." Aucsmith, Tamper Resistant 
Software, 1* Workshop on Information Hiding, May 30, 1996. 


use 

912.8,912.35, 
861.58, 193.19, 
891.1,683.2, 
721.1 


Intrinsic: 

- Provides non-repudiation of use and may record specific forms of use such as viewing, editing, 
extracting copying, redistributing (including to what one or more parties), and/or savmg. 

- Content (executables for example) delivered with proof of delivery anoVor execution or other use. 

- "In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as 
direct or indirect agents for parties who have rights in electronic information, to ensure that the 
moving, accessing, modifying, or otherwise using of information can be securely J* 
rules regarding how, when, where, and by whom such activities can be performed ( 193 6:24-30) 

- "Some or all of the back up files may be packaged within an administrative object and transmitted 
for analysis, transportation, or other uses." C 1 93 1 67:45^8) 

. 4. ^o securely control access and other use, including distribution of records, documents, and notes 
associated with the case." C 193 27434-36) 

- "Thus wrapped, a VDE object may be distributed to the recipient without fear of unauthorized _ 
access and/or other use. The one or more authorized users who have received an object are the only 
parties who may open that object and view and/or manipulate and/or oAe ^ se t f^^^ n \ cnts 
and VDE secure auditing ensures a record of all such user content activities. ( 193 277: 15-2 J) 
"These appliances typically include a secure subsystem that can enable control of content use such 
as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 
^ictrfhurinp auditing usase etc." C 193 9:24-27) 

. "VDE provides a secure, distributed electronic transaction management system for controlling the 
distribution and/or other usage of electronically provided and/or stored information." 0 1 93 9:36- 
39) 

"As a result, VDE supports most types of electronic information and/or appliance: usage control 
(including distribution), security, usage auditing, reporting, other administration, and payment 
arrangements "C193 13:50-53) . . 

- Provides non-repudiation of use and may record specific forms of use such as viewing, editing, 
extracting copying, redistributing (including to what one or more parties), and/or savmg. 
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Content (executables for example) delivered with proof of delivery and/or execution or other use. 
"in general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as 
direct or indirect agents for parties who have rights in electronic information, to ensure that the 
moving, accessing, modifying, or otherwise using of information can be securely controlled by 
rules regarding how, when, where, and by whom such activities can be performed" ( T 193 6:24-31) 
"Some or all of the back up files may be packaged within an administrative object and transmitted 
for analysis, transportation, or other uses." ('193 6:24-) 

"Thus wrapped, a VDE object may be distributed to the recipient without fear of unauthorized 
access and/or other use. The one or more authorized users who have received an object are the only 
parties who may open that object and view and/or manipulate and/or otherwise modify its contents 
and VDE secure auditing ensures a record of all such user content activities." ('193 277:15-2 1) 
"These appliances typically include a secure subsystem that can enable control of content use such 
as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 
distributing, auditing usage, etc". (' 1 93 9:24-27) 

"VDE provides a secure, distributed electronic transaction management system for controlling the 
distribution and/or other usage of electronically provided and/or stored information." ('193 9:36- 
39) ' 

"As a result, VDE supports most types of electronic information and/or appliance: usage control 
(including distribution), security, usage auditing, reporting, other administration, and payment 
arrangements." ('193 33:50-53) 

"SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security 
barrier 502 separates the secure environment 503 from the rest of the world. It prevents 
information and processes within the secure environment 503 from being observed, interfered with 
and leaving except under appropriate secure conditions. Barrier 502 also controls external access to 
secure resources, processes and information within SPU 500. In one example, tamper resistant 
security barrier 502 is formed by security features such as "encryption, " and hardware that detects 
tampering and/or destroys sensitive information within secure environment 503 when tampering is 
detected. ('193 59:48-59) 

"Once the information is downloaded, the now-initialized PPE 650 can discard (or simply not use) 
the manufacturing key." (' 193 212:57-59) 

Extrinsic: 

User A person using a InterTrust node to perform some function (i.e., acting in some role). A user is 
identified with resnect to the node bv a user ID CITG 5/12/95 IT000283001 

User ID: Locally to a InterTrust node, each InterTrust user has an ID associated with a user name and 
authentication (e.g., password). In some deployments, there may be only one user, and access to the 
machine may be considered sufficient authentication; in such cases, the user ID concept may not be 
visible to the user even though it is present in the implementation. (ITG, 5/12/95, IT00028301) 

Use: To use an object is to access the content This involves the processes of controlling and metering 
the use of the property and creating audit trail records on the use. (VDE ROl DEVICE vl.Oa 9 Feb 
1994, IT00008570) 


user controls 
683.2 


Intrinsic: 

"PPE 650 may perform various tests on the inputted item and/or other results of the user interaction 
provided by block 4512E in accordance with one or more user controls." ('683 39:19-21) 
('193 26:39-67) 

"support user interaction through: ... (c) VDE aware applications which, as a result of the use of a VDE 
API and/or a transaction management (for example, ROS based) programming language embeds VDE 
"awareness" into commercial or internal software (application programs, games, etc.) so that VDE user 
control information and services are seamlessly integrated into such software .... For example, in a 
VDE aware word processor application, a user may be able to "print" a document into a VDE content 
container object, applying specific control information by selecting from amongst a series of different 
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menu templates for different purposes (for example, a confidential memo template for internal 
organization purposes may restrict the ability to "keep," that is to make an electronic copy of the 
memo)." ('193 26:39) 

Extrinsic: 

Control: A business rule that governs the use of content (ITG, 1997-1998, MLO0012B) 

Control: A set of rules and consequences that apply to a governed element The term control can;apply 
to either a control program or a control set (ITG, 1997-2000, ML00012D) 

Control: * Control Element. A data structure that giverns (sic) the operation of a control mechanism 
(e.g., meter element, budget element, report element, trail element). 9 Control mechanism: One of the 
mechanisms that controls and performs operations on a VDE object (e.g. meter, bill, budget). A control 
mechanism is distinct from a control element in that it specifies the execution of some process. • 
Control object: A data structure that is used to implement some VDE control: a PERC, a control 
element, a control parameter, or the data representing a control mechanism. • Control Parameter: A 
data structure that is input to a control mechanism and that serves as part of the mechanism's 
specifications. For example, a billing mechanism might have a pricing parameter; a creator using that 
mechanism could alter the parameter but not change the mechanism itself (ITG, 3/7/1 995, 
1T0070961 8, see footnote 2) 

Control: Defines rules and consequences for operations on a Property Chunk. A Control may be 
implemented by a process of arbitrary complexity (within the limits posed by the capability of the 
Node.flTG, 5/12/95, IT00028293) 

Control: A set of rules and consequences for operations on content, such as pricing, payment models, 
usage reporting etc. (ITG, 8/21/95, IT00032373, TD00068B) 

User A person using a InterTrust node to perform some function (i.e., acting in some role). A user is 
identified with respect to the node by a user ID. (ITG, 5/12/95, IT000283OO) 

User ID: Locally to a InterTrust node, each InterTrust user has an ID associated with a user name and 
authentication (e.g., password). In some deployments, there may be only one user, and access to the 
machine may be considered sufficient authentication; in such cases, the user ID concept may not be 
visible to the user even though h is present in the implementation. (ITG, 5/12/95, IT00028301) 

Extrinsic: 

User. 1 . A person who requires the services of a computing system. 2. Any person or any thing that 
may issue or receive commands and messages to or from the information processing system. (IBM) 

User. 1. In communications security, any person who interacts directly with a network system. 
4. In computer security, people who can access an A1S either by direct connections or indirect 
connections. (Longley) 

Control: The determination of the time and order in which the parts of a data processing system and the 
devices that contain those parts perform the input, processing, storage, and output functions.(IBM) 


validity 
on c 


Intrinsic: 

"One of the functions SPU 500 may perform is to validate/authenticate VDE objects 300 and other 
items. Validation/authentication often involves comparing long data strings to determine whether they 
compare in a predetermined way." ('193 67:56-60) 

- (' 193 73:24-25); ('193 73:26); ('193 78:6-17); ('193 87:47-55); ('193 1 12:46-61); ('193 21028- 
35) 

Extrinsic: 

Validation: 1. In Cryptography, the process of checking the data integrity of a message, or selected 
parts of a message. (Longley) 

Validity Check: The process of analyzing data to determine whether it conforms to predetermined 
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completeness and consistency parameters. (Microsoft Computer Dictionary, 3™ ed. 1997) 
"Validate - resolve references to other objects, check 'parameters'" (TT00051955) 


Virtual 

distribution 

environment 

900.155 


Intrinsic: 

4 193 203:58-67; M93 2:22 through conclusion of Background and Summary 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/20S,017 093), Examiner's Amendment, 08/04/00, p. 2 

See 900. 1 55 for Prosecution History limitations. 

"With respect to the remaining issues, Applicants respectfully disagree. For example, the 
Examiner objects to the use of "environment" as indefinite and unclear. This word, however, is not 
used in isolation, but rather in the context of several longer phrases, all of which are defined in the 
specification.. The phrase "protected processing environment," for example, is used in Claims 1 1 and 
15-18 and described on at least, for example, pages 7-8 and 25 of the specification. The term "virtual 
distribution environment" used in Claim 1 1 is described, for example, on page 7 of the specification. 
The terms are also described in the commonly copending application Serial Number 08/388,107 of 
Ginter et al, filed 13 February 1995, entitled "System and Methods for Secure Transaction 
Management and Electronic Rights Protection." A copy of the incorporated Ginter application can be 
provided to the Examiner upon request." 

(pg. 13-14) (pages 7, 7-8 and 25 of the original specification are '721 2:62-3:13, 2:62-3:34 and 8:6-28 
of the issued patent) 

08/689,754 (721), Amendment, 04/14/99, p. 13 

- VDE supports a model wide, distributed security implementation which creates a single secure 
"virtual" transaction processing and information storage environment VDE enables distributed VDE 
installations to securely store and communicate information and remotely control the execution 
processes and the character of use of electronic information at other VDE installations and in a wide 
variety of ways; f 1 93 2 1 :57-65) 

- The rights protection problems solved by the present invention are electronic versions of basic 
societal issues. These issues include protecting property rights, protecting privacy rights, properly 
compensating people and organizations for their work and risk, protecting money and credit, and 
generally protecting the security of information. (* 1 93 4:8-13) 

- The present invention provides a new kind of "virtual distribution environment" (called "VDE" in this 
document) that secures, administers, and audhs electronic information use. CI 93 2:24-27) 

- A fundamental problem for electronic content providers is extending their ability to control the use of 
proprietary information. Content providers often need to limit use to authorized activities and amounts. 
Participants in a business model involving, for example, provision of movies and advertising on optical 
discs may include actors, directors, script and other writers, musicians, studios, publishers, distributors, 
retailers, advertisers, credit card services, and content end-users. These participants need the ability to 
embody their range of agreements and requirements, including use limitations, into an "extended" 
agreement comprising an overall electronic business model. This extended agreement is represented by 
electronic content control information that can automatically enforce agreed upon rights and 
obligations. Under VDE, such an extended agreement may comprise an electronic contract involving all 
business model participants. Such an agreement may alternatively, or in addition, be made up of 
electronic agreements between subsets of the business model participants. Through the use of VDE, 
electronic commerce can function in the same way as traditional commerce-that is commercial 
relationships regarding products and services can be shaped through the negotiation of one or more 
agreements between a variety of parties. ( 4 193 2:37-60) 

- "Protecting the rights of electronic community members involves a broad range of technologies. 
VDE combines these technologies in a way that creates a "distributed" electronic rights protection 
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"environment." This environment secures and protects transactions and other processes important for 
rights protection. VDE, for example, provides the ability to prevent, or impede, interference with and/or 
observation of, important rights related transactions and processes." ('193 3:63-4:3) 

- "VDE is a cost-effective and efficient rights protection solution that provides a unified, consistent 
system for securing and managing transaction processing. VDE can: (a) audit and analyze the use of 
content, (b) ensure that content is used only in authorized ways, and (c) allow information regarding 
content usage to be used only in ways approved by content users." (' 193 4:48-55) 

- In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct 
or indirect agents for parties who have rights in electronic information, to ensure that the moving, 
accessing, modifying, or otherwise using of information can be securely controlled by rules regarding 
how, when, where, and by whom such activities can be performed. C 193 6:24-30) 

- "A variety of capabilities are required to implement an electronic commerce environment. VDE is 
the first system that provides many of these capabilities and therefore solves fundamental problems 
related to electronic dissemination of information.** (* 193 8:16-20) 

- VDE offers an architecture that avoids reflecting specific distribution biases, administrative and 
control perspectives, and content types. Instead, VDE provides a broad-spectrum, fundamentally 
configurable and portable, electronic transaction control, distributing, usage, auditing, reporting, and* 
payment operating environment VDE is not limited to being an application or application specific 
toolset that covers only a limited subset of electronic interaction activities and participants. Rather, 
VDE supports systems by which such applications can be created, modified, and/or reused. As a result, 
the present invention answers pressing, unsolved needs by offering a system that supports a 
standardized control environment which facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of electronic commerce applications and 
models through the use of a programmable, secure electronic transactions management foundation and 
reusable and extensible executable components. VDE can support a single electronic "world** within 
which most forms of electronic transaction activities can be managed. (*193 8:53-9:5) 

- "VDE can securely manage the integration of control information provided by two or more parties. 
As a result, VDE can construct an electronic agreement between VDE participants that represent a 
"negotiation" between, the control requirements of, two or more parties and enacts terms and conditions 
of a resulting agreement VDE ensures the rights of each party to an electronic agreement regarding a 
wide range of electronic activities related to electronic information and/or appliance usage." (* ] 93 9:52- 
61) 

. ""Hardware*' 506 also contains long-term and short-term memories to store information securely so it 
cant be tampered with." C193 60:1-3) 

- VDE prevents many forms of unauthorized use of electronic information, by controlling and auditing 
(and other administration of use) electronically stored and/or disseminated information. CI 93 11 :60-63) 

- Together, these VDE components comprise a secure, virtual, distributed content and/or appliance 
control, auditing (and other administration), reporting, and payment environment ('193 13:14-17) 

- VDE can securely deliver information from one party to another concerning the use of commercially 
distributed electronic content Even if parties are separated by several "steps" in a chain (pathway) of 
handling for such content usage information, such information is protected by VDE through encryption 
and/or other secure processing. Because of that protection, the accuracy of such information is 
guaranteed by VDE, and the information can be trusted by all parties to whom it is delivered. CI 93 
14:31-39) 

- VDE allows the needs of electronic commerce participants to be served and it can bind such 
participants together in a universe wide, trusted commercial network that can be secure enough to 
support very large amounts of commerce. VDE's security and metering secure subsystem core will be 
present at all physical locations where VDE related content is (a) assigned usage related control 
information (rules and mediating data), and/or (b) used. This core can perform security and auditing 
functions (including metering) that operate within a "virtual black box," a collection of distributed, very 
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secure VDE related hardware instances that are interconnected by secured information exchange (for 
example, telecommunication) processes and distributed database means. ('193 15:14-27) 

• VDE provides organization, community, and/or universe wide secure environments whose integrity is 
assured by processes securely controlled in VDE participant user installations (nodes). 0193 20:48-51) 

- - "Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention: VDE employs a variety of capabilities that serve as a foundation for a general purpose, 
sufficiently secure distributed electronic commerce solution. VDE enables an electronic commerce 
marketplace that supports divergent, competitive business partnerships, agreements, and evolving 
overall business models. For example, ... "employ **templates" to ease the process of configuring 
capabilities of the present invention as they relate to specific industries or businesses. ...Given the very 
large range of capabilities and configurations supported by the present invention, reducing the range of 
configuration opportunities to a manageable subset particularly appropriate for a given business model 
allows the full configurable power of the present invention to be easily employed by "typical" users 
who would be otherwise burdened with complex programming and/or configuration design 
responsibilities template applications can also help ensure that VDE related processes are secure and 
optimally bug free by reducing the risks associated with the contribution of independently developed 
load modules, including unpredictable aspects of code interaction between independent modules and 

applications, as well as security risks associated with possible presence of viruses in such modules 

As the context surrounding these templates changes or evolves, template applications provided under 
the present invention may be modified to meet these changes for broad use, or for more focused 
activities. ... Of course, templates may, under certain circumstances have fixed control information and 
not provide for user selections or parameter data entry." ('193 21:43-53 27:1-28:18) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, ... provide mechanisms to persistently maintain trusted content usage and 
reporting control information through both a sufficiently secure chain of handling of content and 
content control information and through various forms of usage of such content wherein said 
persistence of control may survive such use. Persistence of control includes the ability to extract 
information from a VDE container object by creating a new container whose contents are at least in part 
secured and that contains bom the extracted content and at least a portion of the control information 
which control information of the original container and/or are at least in part produced by control 
information of the original container for this purpose and/or VDE installation control information 
stipulates should persist and/or control usage of content in the newly formed container. Such control 
information can continue to manage usage of container content if the container is "embedded" into 
another VDE managed object, such as an object which contains plural embedded VDE containers, each 
of which contains content derived (extracted) from a different source." (*} 93 2 1 :43-53 28:45-65) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention.... Interoperability is fundamental to efficient electronic commerce. Tbe design of the VDE 
foundation, VDE load modules, and VDE containers, are important features that enable the VDE node 
operating environment to be compatible with a very broad range of electronic appliances. Qi93 21>43- 
45 34:25-30) * ~ 

- Summary of Some important Features Provided by VDE in Accordance With the Present Invention.... 
securely support electronic currency and credit usage control, storage, and communication at, and 
between, VDE installations. ^3jE4|^3 6:49-51) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
requiring reporting and payment compliance by employing exhaustion of budgets and time ageing of 
keys. ^^3 2^43-45 40:8-9) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
Because of the VDE security, including use of effective encryp^ 0 ^ authentication, digital signaturing, 
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and secure database structures, the records contained within a VDE card arrangement may be accepted 
as valid transaction records for government and/or corporate recordkeeping requirements. CJf3gl;43- 
45 41:37-42) 

- Since all secure communications are at least in part encrypted and the processing inside the secure 
subsystem is concealed from outside observation and interference, the present invention ensures that 
content control information can be enforced. (\93 46:4-8) 

- An important feature of VDE is that it can be used to assure the administration of, and adequacy of 
security and rights protection for, electronic agreements implemented through the use of the present 
invention. CI 93 46:51-54) 

- These are merely a few simple examples demonstrating the importance of ROS 602 ensuring that 
certain component assemblies 690 are formed in a secure manner. ROS 602 provides a wide range of 
protections against a wide range of "threats" to the secure handling and execution of component 
assemblies 690. (' 1 93 85: 15-20) 

- VDE further enables thisprocess by providing a secure execution space in which the negotiation 
process(es) are assured of integrity and confidentiality in their operation. ('193 245:20-22) 

- u Taken together, and employed at times with VDE administrative objects and VDE security 
arrangements and processes, the present invention truly achieves a content control and auditing 
architecture that can be configured to most any commercial distribution embodiment" ('193 261:10- 
15) 

- For example, VDE 1 00 positively controls content access and usage, provides guarantee of payment 
for content used, and enforces budget limits for accessed content ('1 93 240:53-56) 

- Such metering is a flexible basis for ensuring payment for content royalties, licensing, purchasing, 
and/or advertising. 0*3 33:56-58) 

- The overall integrity and security of VDE 100 could ensure, in a coherent and centralized manner, that 
electronic reporting of tax related information (derived from one or more electronic commerce 
activities) would be valid and comprehensive. ('193 237:47-51) 

- Distributors 106 and financial clearinghouses 3 16 may themselves be audited based on secure records 
of their administrative activities and a chain of reliable, "trusted" processes ensures the integrity of the 
overall digital distribution process. This allows content owners, for example, to verify that they are 
receiving appropriate compensation based on actual content usage or other agreed-upon bases. ('193 
254:66-255:5) 

- Because the control information is carried with each copy of a VDE protected document, and can 
ensure that central registries are updated anoVor that originators are notified of document use, tracking 
can be prompt and accurate. ('193 281:14-16) 

- A final desirable feature of agreements in general (and electronic representations of agreements in 
particular) is that they be accurately recorded in a non-repudiatable form. In traditional terms, this 
involves creating a paper document (a contract) that describes the rights, restrictions, and obligations of 
all parties involved. This document is read and then signed by all parties as being an accurate 
representation of the agreement Electronic agreements, by their nature, may not be initially rendered in 
paper. VDE enables such agreements to be accurately electronically described and men electronically 
signed to prevent repudiation. C193 245:25-35) 

- As discussed above, a wide variety of techniques are currently being used to provide secure, trusted 
confidential delivery of documents and other items. Unfortunately, none of these previously existing 
mechanisms provide truly trusted, virtually instantaneous delivery on a cost-efTective, convenient basis 
and none provide rights management and auditing through persistent, secure, digital information 

teconm* the present inventions provide the trustedness, confidentiality and security of a personal 
trusted courier on a virtually instantaneous and highly cost-effective basis. They provide techniques, 
systems and methods that can being to any form of electronic communications (including, but not 
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limited to Internet and internal company electronic mail) an extremely high degree of trustedness, 
confidence and security approaching or exceeding that provided by a trusted personal courier. They also 
provide a wide variety of benefits that flow from rights management and secure chain of handling and 
control. ('683 5:20) 

- The Virtual Distribution Environment provides comprehensive overall systems, and wide arrays of 
methods, techniques, structures and arrangements, that enable secure, efficient electronic commerce and 
rights management on the Internet and other information superhighways and on internal corporate 
networks such as "Intranets'*. ('683 5:4)) 

- "parties using the Virtual Distribution Environment can participate in commerce and other 
transactions in accordance with a persistent set of rules they electronically define." (*683 6: 1 1 ) 

- "All of these various coordination steps can be performed nearly simultaneously, efficiently, rapidly 
and with an extremely high degree of trustedness based on the user of electronic containers 302 and the 
secure communications, authentication, notarization and archiving techniques provided in accordance 
with the present inventions " (*683 .55:54) 

- "People are increasingly using secure digital containers to safely and securely store and transport 
digital content One secure digital container model is the "DigiBox .TM." container developed by 
InterTrust Technologies, Inc. of Sunnyvale, Calif. The Ginter et al. patent specification referenced 
above describes many characteristics of this DigiBox.TM. container model — a powerful, flexible, 
general construct that enables protected, efficient and interoperable electronic description and regulation 
of electronic commerce relationship of all kinds, including the secure transport, storage and rights 
management interface with objects and digital information within such containers." ( 4 861 1 :35) 

- "Briefly, DigiBox containers are tamper-resistant digital containers that can be used to package any 
kind of digital information such as, for example, text, graphics, executable software, audio and/or video. 
The rights management environment in which DigiBox. TM. containers are used allows commerce 
participants to associate rules with the digital information (content). The rights management 
environment also allows rules (herein including rules and parameter data controls) to be securely 
associated with other rights management information, such as for example, rules, audit records created 
during use of digital information and administrative information associated with keeping the 
environment working properly, including ensuring rights and any agreements among parties. The 
DigiBox. TM.. electronic container can be used to store, transport and provide a rights management 
interfaces to digital information, related rules and other rights management information, as well as to 
other objects and/or data within a distributed, rights management environment This arrangement can 
be used to provide electronicaUy enforced chain of handling and control wherein rights management 
persists as a container moves from one entity to another. This capability helps support a digital rights 
management architecture that allows content rightsholders (including any parties who have system 
authorized interests related to such content, such as content republishes or even governmental 
authorities) to securely control and manage content, events, transactions, rules and usage consequences, 
including any required payment and/or usage reporting. This secure control and management continues 
persistently, protecting rights as content is delivered to, used by, and passed among creators, 
distributors, repurposes, consumers, payment disagregators, and other value chain participants... " 
('861 1:47) 

- "Use of a secure electronic container containers to transport items providers an unprecedented degree 
r\f cpmrirv tTii<rrerinpcc jmH flpxfbilirv " f'683 8*50^ 

- "Virtual distribution environment 100 is "virtual" because it does not require many of the physical 
"things* that used to be necessary to protect rights, ensure reliable and predictable distribution, and 
ensure proper compensation to content creators and distributors." (M 93 53:23-27) 

- VDE allows the needs of electronic commerce participants, to be served and it can bind such 
participants together in a universe wide, trusted commercial network that can be secure enough to 
support very large amounts of commerce. VDE's security and metering secure subsystem core will be 
present all physical locations where VDE related contents is (a) assigned usage related control 
information (rules and mediating data), and/or (b) used. This core can perform security and auditing 
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functions (including metering) that operate within a "Virtual black box"" a collection of distributed, 
very secure VDE related hardware instances that are interconnected by secured information exchange 
(for example, telecommunication) processes and distributed database means. (*193 15:14-27) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention 
...VDE employs special purpose hardware distributed throughout some or all locations of a VDE 
implementation: a) said hardware controlling important elements of: content preparation (such as 
causing such content to be placed in a VDE content container and associating content control 
information with said content), content and/or electronic appliance usage auditing, content usage 
analysis, as well as content usage control; and b) said hardware having been designed to securely 
handle processing load module control activities, wherein said control processing activities may involve 
a sequence of required control factors" ('193 21:43-45 22:20-31) 

- Physical facility and user identity authentication security procedures may be used instead of hardware 
SPUs at certain nodes, such as at an established financial clearinghouse, where such procedures may 
provide sufficient security for trusted interoperability with a VDE arrangement employing hardware 
SPUs at user nodes. Q 1 93 45:60-65) 

- An important part of VDE provided by the present invention is the core secure transaction control 
arrangement, herein called an SPU (or SPUs), that typically must be present in each user's computer, 
other electronic appliance, or network. SPUs provide a trusted environment for generating decryption 
keys, encrypting and decrypting information, managing the secure communication of keys and other 
information between electronic appliances (i.e. between VDE installations and/or between plural VDE 
instances within a single VDE installation), securely accumulating and managing audit trail, reporting, 
and budget information in secure and/or non-secure non-volatile memory, maintaining a secure 
database of control information management instructions, and providing a secure environment for 
performing certain other control and administrative functions. CI 93 48:66-49:14) 

- A hardware SPU (rather than a software emulation) within a VDE node is necessary if a highly trusted 
environment for performing certain VDE activities is required. (' 1 93 49: 1 5- 1 7) 

- ""Hardware" 506 also contains long-term and short-term memories to store information securely so it 
can't be tampered with.* f 193 60:1-3) 

- A VDE node's hardware SPU is a core component of a VDE secure subsystem and may employ some 
or ail of an electronic appliance's primary control logic, such as a microcontroller, microcomputer or 
other CPU arrangement This primary control logic may be otherwise employed for non VDE purposes 
such as the control of some or all of an electronic appliance's non- VDE functions. When operating in a 
hardware SPU mode, said primary control logic must be sufficiently secure so as to protect and conceal 
important VDE processes. For example, a hardware SPU may employ a host electronic appliance 
microcomputer operating in protected mode while performing VDE related activities, thus allowing 
portions of VDE processes to execute with a certain degree of security. CI 93 49:33-46) 

- As shown FIG. 6, in the preferred embodiment, an SPU 500 may be implemented as a single 
integrated circuit "chip" 505 to provide a secure processing environment in which confidential and/or 
commercially valuable information can be safely processed, encrypted and/or decrypted. CI 93 63:48- 
52) 

SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security barrier 
502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes within the secure environment 503 form being observed, interfered with and leaving except 
under appropriate secure conditions. Barrier 502 also controls external access to secure resources, 
processes and information within SPU 500. In one example, tamper resistant security barrier 502 is 
formed by security features such as "encryption," and hardware that detects tampering and/or destroys 
sensitive information within secure environment 503 when tampering is detected." (M93 59:48-59) 

SPU 500 may be surrounded by a tamper-resistant hardware security barrier 502. Part of this 
security barrier 502 is formed by a plastic or other package in which an SPU "die" is encased. Because 
the processing occurring within, and in formation stored by, SPU 500 are not easily accessible to the 
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outside world, they are relatively secure from unauthorized access and tampering. All signals cross 
barrier 502 through a secure, controlled path provided by BIU 530 that restricts the outside world's 
access to the internal components within SPU 500. The secure, controlled path resists attempts form 
the outside world to access secret information and resources within SPU 500." (M93 63:60-64:5) 

- Regulation is ensured by control information put in place by one or more parties. CI 93 6:34-35) 

•"Limited only by the VDE control information employed by content creators, other providers, and 
other pathway of handling and control participants, VDE allows a "natural" and unhindered flow o£ and 
creation o£ electronic content product models." ('193 297:25-29) 

- As a result, the present invention answers pressing, unsolved needs by offering a system that supports 
a standardized control environment which facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of electronic commerce applications and 
models through the use of a programmable, secure electronic transactions management foundation and 
reusable and extensible executable components. CI 93 8:62-9:3) 

- Independently, securely deliverable, component based control information allows efficient interaction 
among control information sets supplied by different parties. H93 10:46-48) 

- A significant facet of the present invention's ability to broadly support electronic commerce is its 
ability to securely manage independently delivered VDE component objects containing control 
information (normally in the form of VDE objects containing one or more methods, data, or load 
module VDE components). This independently delivered control information can be integrated with 
senior and other pre-existing content control information to securely form derived control information 
using the negotiation mechanisms of the present invention. All requirements specified by this derived 
control information must be satisfied before VDE controlled content can be accessed or otherwise used. 
This means that, for example, all load modules and any mediating data which are listed by the derived 
control information as required. must be available and securely perform their required function. ('193 
10:66-11:14) 

- Content control information governs content usage according to criteria set by holders of rights to an 
object's contents and/or according to parties who otherwise have rights associated with distributing such 
content (such as governments, financial credit providers, and users). ('193 15:46-50) 

- In part, security is enhanced by object methods employed by the present invention because the 
encryption schemes used to protect an object can efficiently be further used to protect the associated 
content control information (software control information and relevant data) from modification. ('193 
15:51-55) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
Content users, such as end-user customers using commercially distributed content (games, information 
resources, software programs, etc.), can define, if allowed by senior control information, budgets, 
and/or other control information, to manage their own internal use of content. (!|93!21^43-45 29:3-8) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention.... 
support the separation of fundamental transaction control processes through the use of event (triggered) 
based method control mechanisms. These event methods trigger one or more other VDE methods 
(which are available to a secure VDE sub-system) and are used to carry out VDE managed transaction 
related processing. These triggered methods include independently (separably) and securely 
processaole component oiumg management mcinoas, ouugeung management meuiuus, metering 
management methods, and related auditing management processes. As a result of this feature of the 
present invention, independent triggering of metering, auditing, billing, and budgeting methods, the 
present invention is able to efficiently, concurrently support multiple financial currencies (e.g. dollars, 
marks, yen) and content related budgets, and/or billing increments as well as very flexible content 
distribution models. ('193 gg«M5 42:21-38) 

- support, complete, modular separation of the control structures related to (1) content event triggering, 
(2) auditing, (3) budgeting (including specifying no right of use or unlimited right of use), (4) billing, 
and (5) user identity (VDE installation, client name, department, network, and/or user, etc.). The 
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independence of these VDE control structures provides a flexible system which allows plural 
relationships between two or more of these structures, for example, the ability to associate a financial 
budget with different event trigger structures (that are put in place to enable controlling content based 
on its logical portions). Without such separation between these basic VDE capabilities, h would be 
more difficult to efficiently maintain separate metering, budgeting, identification, and/or billing 
activities which involve the same, differing (including overlapping), or entirely different, portions of 
content for metering, billing, budgeting, and user identification, for example, paying fees associated 
with usage of content, performing home banking, managing advertising services, etc. VDE modular 
separation of these basic capabilities supports the programming of plural, ,, a^bit^a^y ,, relationships 
between one or differing content portions (and/or portion units) and budgeting, auditing, and/or billing 
control information. O 93 42:39-63) 

- The virtual distribution environment 100 prevents use of protected information except as permitted by 
the "rules and controls** (control information). For example, the "rules and controls" shown in FIG. 2 
may grant specific individuals or classes of content users 1 32 "permission" to use certain content They 
may specify what kinds of content usage are permitted, and what kinds are not They may specify how 
content usage is to be paid for and how much it costs. As another example, "rules and controls" may 
require content usage information to be reported back to the distributor 106 and/or content creator 102. 
(•193 56-26-35) 

- -ROS VDE functions 604 may be based on segmented, independently loadable executable 
"component assemblies" 690. These component assemblies 690 are independently securely deliverable. 
The component assemblies 690 provided by the preferred embodiment comprise code and data 
elements that are themselves independently deliverable.... These component assemblies 690 are the 
basic functional unit provided by ROS 602. The component assemblies 690 are executed to perform 
operating system or application tasks. Thus, some component assemblies 690 may be considered to be 
part of the ROS operating system 602, while other component assemblies may be considered to be 
"applications" thai run under the support of the operating system." (' 1 93 83 : 12-29) 

- "As mentioned above, ROS 602 provides several layers of security to ensure the security of 
component assemblies 690. One important security layer involves ensuring that certain component 
assemblies 690 are formed, loaded and executed only in secure execution space such as provided within 
an SPU 500." (' 193 8733-38) 

- "Methods 1000 perform the basic function of defining what users (including, where appropriate, 
distributions, client administration, etc.), can and cannot do with an object 300." ('193 128:30-33) 

"Container 152 in this example further includes an electronic control set 188 describing conditions 
under which the power may be exercised. Controls 1 88 define the power(s) granted to each of the 
participants - including (in this example) conditions or limitations for exercising these powers. 
Controls 1 88 may provide the same powers and/or conditions of use for each participant, or they may 
provide different powers and/or conditions of use for each participant" ('712 220: 1-8) 

'...content creators and rights owners can register permissions with the rights and permissions 
clearinghouses 400 in the form of electronic "control sets." These permissions can specify what 
consumers can and can't do with digital properties, under what conditions the permissions can be 
exercised and the consequences of exercising the permissions." ('712 72:2-7) 

- "This "channel 0" "open channel" task may then issue a series of requests to secure database manager 
566 to obtain the "blueprint" for constructing one or more component assemblies 690 to be 
associated with channel 594 (block 1 127). In the preferred embodiment, this "blueprint" may 
comprise a PERC 808 and/or URT464." ('193 1 12:46-51) 

- In part, security is enhanced by object methods employed by the present invention because the 
encryption schemes used to protect an object can efficiently be further used to protect the associated 
content control* information (software control information and relevant data) from modification. ('193 
15:51-55) 

FIG. 5 A shows how the virtual distribution environment 3 00, in a preferred embodiment, may 
package information elements (content) into a "container" 302 so the information can't be accessed 
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except as provided by its "rules and controls." Normally, the container 302 is electronic rather than 
physical. Electronic container 302 in one example comprises "digital" information having a well 
defined structure. Container 302 and its contents can be called an "object 300." ( r 193 58:39-46) 

- "Moreover, when any new VDE object 300 arrives at an electronic appliance 600, the electronic 
appliance must "register" the object within object registry 450 so that it can be accessed." (' 1 93 153:56- 
59) 

- "Even if the object is stored locally to the VDE node, it may be stored as a secure or protected object 
so that it is not directly accessible to a calling process. ACCESS method 2000 establishes the 
connections, routings, and security requisites needed to access the 00360." ( 4 193 192:14-19) 

- "ACCESS method 2000 reads the ACCESS method MDE from the secure database, reads it in 
accordance with the ACCESS method DTD, and loads encrypted content source and routing 
information based on the MDE (blocks 2010, 2032). This source and routing information specifies the 
location of the encrypted content. ACCESS method 2000 men determines whether a connection to the 
content is available (decision block 2034). This "connection" could be, for example, an on-line 
connection to a remote she, a real-time information feed, or a path to a secure/protected resource, for 
example. If the connection'to the content is not currently available ("No" exit of decision block 2014), 
then ACCESS method 2000 takes steps to open the connection (block 201 6). If the connection fails 
(e.g., because the user is not authorized to access a protected secure resource), then the ACCESS 
method 2000 returns with a failure indication (termination point 201 8)." (' 193 192:36-52) 

- "It also employs a software object architecture for VDE content containers that carries protected 
content and may also carry both freely available hfbrmation (e.g., summary, table of contents) and 
secured content control information which ensures the performance of control information." CI 93 
15:41-46) 

- "In this example, creator 102 may employ one or more application software programs and one or 
more VDE secure subsystems to place unencrypted content into VDE protected form (i.e., into one or 
more VDE content containers)." (* 193 315:53-56) 

- "The Ginter et al. patent specification referenced above describes many characteristics of this 
DigiBox™ container model, a powerful, flexible, general construct that enables protected, efficient and 
interoperable electronic description and regulation of electronic commerce relationships of all kinds..." 
('8611:39)] 

- "The node and container model described above and in the Ginter et al. patent specification (along 
with similar other DigiBox/VDE (Virtual Distribution Environment) models) has nearly limitless 
flexibility." C86 1 2:37) 

- Therefore, the container creation and usage tools must themselves be secure in the sense that they 
must protect certain details about the container design. This additional security requirement can make it 
even more difficult to make containers easy to use and to provide interoperability. ('861 4:59) 

- "FIG. 88 illustrates secure electronic container 302 as an attach* handcuffed to the secure delivery 
person's wrist. Once again, container is shown as a physical thing for purposes of illustrations only -in 
the example it is preferably electronic rather than physical, and comprises digital information having a 
well-defined structure (see FIG. 5A). Special mathematical techniques known as "cryptography" can 
be used to make electronic container 302 secure so that only intended recipient 4056 can open the 
container and access the electronic document (or other items) 4054 it contains." ('683 15:61) 

- "Appliance 600B may deliver the digital copy of item 4054 within container 302 and/or protect the 
item with seals. Electronic fingerprints, watermarks and/.or other visible and/or hidden markings to 
provide a "virtual container or some of the security or other characteristics of a container (for example, 
the ability to associate electronic controls with the item). ('683 1 8:) 

- "For example, defendant's attorney 5052 can specify one container 302 for opening by his co- 
counsei, client or client in-house counsel, and program another container 302 for opening only by 
opposing (plaintiffs) counsel 5050. Because of the unique trustedness features provided by system 
4050, the defendant's attorney 5052 can have a high degree of trust and confidence that only the 
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authorized parties will be able to open the respective containers and access the information they 
contain." ('683 56:17) 

- "The "container" concept is a convenient metaphor used to give a name to the collection of elements 
required to make use of content or to perform an administrative-type activity " (' 1 93 127:30-32) 

- "the virtual distribution environment ] 00, in a preferred embodiment, may package information 
elements (content) into a "container" 302 so the information can't be accessed except as provided by its 
"rules and controls."" ('193 58:39-43) 

- "VDE 100 provides a media independent container model for encapsulating content" ('193 127:2-3) 

- "The electronic form of a document is stored as a VDE container (object) associated with the specific 
client and/or case. The VDE container mechanism supports a hierarchical ordering scheme for 
organizing files and other information with a container, this mechanism may be used to organize the 
electronic copies of the documents within a container, A VDE container is associated with specific 
access control information and rights that are described in one or more permissions control information 
sets (PERCs) associated with that container. In this example, only those members of the law firm who 
possess a VDE instance, an appropriate PERC, and the VDE object that contains the desired document, 
may use the document-" ('193 274:52-64) 

- "The situation is no better for processing documents within the context of ordinary computer and 
network systems. Although said systems can enforce access control information based on user identity, 
and can provide auditing mechanism for tracking accesses to files, these are low-level mechanisms that 
do not permit tracking or controlling the flow of content In such systems, because document content 
can be freely copied and manipulated, it is not possible to determine where documents content has 
gone, or where it came from." (* 1 93 28 1 :27-35) 

- "Secure containers 302 may be used to encapsulate the video and audio being exchanged between 
electronic kiosk appliances 600, 600' to maintain confidentiality and ensure a high degree of 
trustedness. 

- "Because container 152 can only be opened within a secure protected processing environment 154 
that is part of the virtual distribution environment described in the above-referenced Ginter et al. patent 
disclosure" - "The present invention provides a new kind of -virtual distribution environment" (called 
"VDE" in this document) that secures, administers, and audits electronic information use. VDE also 
features fundamentally important capabilities for ...." (M93 2:24-28) 

-"the present invention truly achieves a content control and auditing architecture that can be configured 
to most any commercial distribution embodiment" ('193 261:32-15) 

-"The inability of conventional products to be shaped to the needs of electronic information providers 
and users is sharply in contrast to the present invention. Despite the attention devoted by a cross-section 
of America's largest telecommunications, computer, entertainment and information provider companies 
to some of the problems addressed by the present invention, only the present invention provides 
commercially secure, effective solutions for configurable, general purpose electronic commerce 
transaction/distribution control systems." (*193 2:13-22) 

-"The configurability provided by the present invention is particularly critical for supporting electronic 
commerce, that is enabling businesses to create relationships and evolve strategies that offer 
competitive value. Electronic commerce tools that are not inherently configurable and interoperable 
will ultimately fail to produce products (and services) that meet both basic requirements and evolving 
needs of most commerce applications." (' 193 16:41-48) 

-"VDE also extends usage control information to an arbitrary granular level (as opposed to a file based 
level provided by traditional operating systems) and ..." ('193 275:8-3 1) 

-Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
...."(* 193 21:43-45) 

-"A significant facet of the present invention's ability to broadly support electronic commerce is its 
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ability to securely manage independently delivered VDE component objects containing control 
information .... W (M93 10:66-11:2) 

-"Some of the key factors contributing to the configurability intrinsic to the present invention include: 
...."Cm 16:66-67) 

-"The scalable transaction management/auditing technology of the present invention will result in more 
efficient and reliable interoperability ....**(* 193 34:9-11) 

-"the present invention answers pressing, unsolved needs by offering a system that supports a 
standardized control environment which facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of electronic commerce applications and 
models through the use of a programmable, secure electronic transactions management foundation and 
reusable and extensible executable components.** (* 1 93 8:63-9:3) 

-"The design of the VDE foundation, VDE load modules, and VDE containers, are important features 
that enable the VDE node operating environment to be compatible with a very broad range of electronic 
appliances" ('193 34:26-30) . 

-"The ability to optionally incorporate different methods 1000 with each object is important to making 
VDE 1 00 highly configurable." (* 1 93 128:28-30) 

-"An important feature of VDE is that it can be used to assure the administration o£ and adequacy of 
security and rights protection for, electronic agreements implemented through the use of the present 
invention.** ('712 168:22-25) 

-"In this example, both the address request 602 and the responsive information 604 are contained within 
secure electronic containers 1 52 in order to maintain the confidentiality and integrity of the requests 
and responses. In this way, for example, outside eavesdroppers cannot tell who sender 95(1 ) wants to 
communicate with or what information he or she needs to perform communications with or what 
information he or she needs to perform the communications - and the directory responses cannot be 
"spoofed" to direct the requested message to another location.** ('712 32:1 5-22) 

Components: "On the other hand, if the information to be exchanged has already been secured and/or is 
available without authentication (e.g., certain catalog information, containers that have already been 
encrypted and do not require special handling, etc.), the "weaker** for of login/password may be used.** 
('193 290:57-62) 

Components: M VDE provides means to securely combine content provided at different times, by 
differing sources, and/or representing different content types. These types, timings, and/or different 
sources of content can be employed to form a complex array of content within a VDE content container 
objects, each containing different content whose usage can be controlled, at least in part, by its own 
container's set of VDE content control information." ('193 397:35-) 

Container-Related Methods: "Although methods 1000 can have virtually unlimited variety and some 
may even be user-defined, certain basic "use" type methods are preferably used in the preferred 
embodiment to control most of the more fundamental object manipulation and other functions provided 
by VDE 100. For example, the following high level methods would typically be provided for object 
manipulation; OPEN method, READ method, WRITE method, CLOSE method. An OPEN method is 
used to control opening a container so its content may be accessed. A READ method is used to control 
access to contents in a container. A WRITE method is used to control the insertion of contents into a 
container. A CLOSE method is used to close a container that has been opened." (' 1 93 1 83: 1 2-29) 5 

DESTROY method 21 80 removes the ability of a user to use an object by destroying the URT the 
user requires to access the object In the preferred embodiment, .... DESTROY method 21 80 may than 
call a WRITE and/or ACCESS method to write information which will corrupt (and thus destroy) the 
header and/or other important parts of the object (block 21 86). DESTROY method 2 1 80 may then 
mark one or more of the control structures (e.g., the URT) as damaged by writing appropriate 
information to control structure (blocks 2 1 88, 2 1 90)." (* 1 93 1 98:4 1 -45) 

"PANIC method 2200 may prevent the user from further accessing the object currently being accessed 
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by, for example, destroying the channel being used to access the object and marking one or more of the 
control structures (e.g., the URT) associated with the user and object as damagecL(bIocks 2206, and 
2208-2210, respectively). Because the control structure is damaged, the VDE node will need to contact 
an atoinistrator to obtain a valid control structure(s) before the user may access the same object 
again." ('193 198:60-199:2) 

- "EXTRACT method 2080 is used to copy or remove content from an object and place it into a new 
object In the preferred embodiment, the EXTRACT method 2080 does not involve any release of 
content, but rather simply takes content from one container and places it into another container, both of 
which may be secure. Extraction of content differs from release in that the content is never exposed 
outside a secure container." ('193 194:13-20) 

- "Use of secure electronic containers to transport items provides an unprecedented degree of security, 
trustedness and flexibility." ('683 8:50) 

-"Electronic delivery person 4060 can deliver the electronic version of hem 4054 within secure 
container attache" case 302 from personal computer 4 1 16* to another personal computer 4116 operated 
by recipient 4056." ( 4 683 2027) 

- "Because these transactions are conducted using VDE and VDE secure containers, those observing 
the communications learn no more than the fact that the parties are communicating." ( l 712 3 10:1-3) 

- "VDE in one example provides a "virtual silicon container" ("virtual black box") in that several 
different instances of SPU 500 may securely communicate together to provide an overall secure 
hardware environment that "virtually" exists at multiple locations and multiple electronic appliances 
600. FIG. 87 shows one model 3600 of a virtual silicon container. This virtual container model 3600 
includes a content creator 102, a content distributor 106, one or more content redistributors 106a, one or 
more client administrators 700, one or more client users 3602, and one or more clearinghouses 1 1 6. 
Each of these various VDE participants has an electronic appliance 600 including a protected 
processing environment 655 that may comprise, at least in part, a silicon-based semiconductor 
hardware element secure processing unit 500. The various SOUs 500 each encapsulate a part of the 
virtual distribution environment, and thus, together form the virtual silicon container 3600." ('193 
317:58-318:8) 

-"Uses tools to transform digital information(such as electronic books, databases, computer software 
and movies) into protected digital packages called "objects." Only those consumers (or other along the 
chain of possession such as redistributor) who receive permission from a distributor 106 can open these 
packages. VDE packaged content can be constrained by "rules and control information."" ('193 
254:18-25) 

- u To open VDE package and make use of its content, and end-user must have permission." ('193 
254:45-46) 

- "place unencrypted content into VDE protected form (i.e., into one or more VDE content containers)." 
0193 315:55-56) 

- "VDE can protect a collection of rights belonging to various parties having in rights in, or to, 
electronic information. This information may be at one location or dispersed across (and/or moving 
between) multiple locations. The information may pass through a "chain" of distributors and a "chain" 
of users. Usage information may also be reported through one or more "chains" of parties. In general, 
VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct or indirect 
agents for parties who have rights in electronic information, to ensure that the moving, accessing, 
modifying, or otherwise using of information can be securely controlled by rules regarding how, when, 
where, and by whom such activities can be performed." ( 4 193 6:18-31) 

r All requirements specified by this derived control information must be satisfied before VDE 
controlled content can be accessed or otherwise used. £\93 1 1 :8-l 1) 

- "VDE provides important mechanisms for both enforcing commercial agreements and enabling the 
protection of privacy rights. VDE can securely deliver information from one party to another 
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concerning the use of commercially distributed electronic content. Even if parties are separated by 
several "steps" in a chain (pathway) of handling for such content usage information, such information 
is protected by VDE through encryption and/or other secure processing. Because of that protection, the 
accuracy of such information is guaranteed by VDE, and the information can be trusted by all parties 
to whom it is delivered." ('193 14:29-39) 

- VDE ensures that certain prerequisites necessary for a given transaction to occur are met This 
includes the secure execution of any required load modules and the availability of any required, 
associated data. 093 2027-30) 

- Required methods (methods listed as required for property and/or appliance use) must be available as 
specified if VDE controlled content (such as intellectual property distributed within a VDE content 
container) is to be used. ('193 43:37-41) 

- "Since all secure communications are at least in part encrypted and the processing inside the secure 
subsystem is concealed from outside observation and interference, the present invention ensures that 
content control information can be enforced. (*193 46:4-8) 

- This control information can determine, for example: 

(1) How and/or to whom electronic content can be provided, for example, how an electronic property 
can be distributed; 

(2) How one or more objects and/or properties, or portions of an object or property, can be directly 
used, such as decrypted, displayed, printed, etc; .... (*193 46:17-24) 

""Hardware** 506 also contains long-term and short-term memories to store information securely so it 
cant be tampered with." 093 60:1-3) 

**A feature of VDE provided by the present invention is that certain one or more methods can be 
specified as required in order for a VDE installation and/or user to be able to use certain and/or all 
content. ('193 43:47-50) 

The virtual distribution environment 100 prevents use of protected information except as permitted by 
the "rules and controls" (control information), f 193 56:26-28) 

- As mentioned above, virtual distribution environment 1 00 "associates" content with corresponding 
"rules and controls," and prevents the content from being used or accessed unless a set of corresponding 
"rules and controls" is available. The distributor 106 doesn't need to deliver content to control the 
content's distribution. The preferred embodiment can securely protect content by protecting 
corresponding, usage enabling "rules and controls" against unauthorized distribution and use. ('193 
57:18-26) 

- Since no one can use or access protected content without "permission" from corresponding "rules and 
controls," the distributor 106 can control use of content that has already been (or will in the future be) 
delivered. ('193 57:30-33) 

- SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security barrier 
502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes within the secure environment 503 from being observed, interfered with and leaving except 
under appropriate secure conditions. Barrier 502 also controls external access to secure resources, 
processes and information within SPU 500. £\93 59:48-55) 

- Provides non-repudiation of use and may record specific forms of use such as viewing, editing, 
extracting, redistributing (including to what one or more parties), and/or saving. 

- In general, VDE enables parties that (a) have rights in electronic information, and/or (b) act as direct 
or indirect agents for parties who have rights in electronic information, to ensure that the moving, 
accessing, modifying, or otherwise using of information can be securely controlled by rules regarding 
how, when, where, and by whom such activities can be performed. (M93 6:24-30) 

- to securely control access and other use, including distribution of records, documents, and notes 
associated with the case, (*193 274:34-36) 
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- Thus wrapped, a VDE object may be distributed to the recipient without fear of unauthorized access , 
and/or other use. ( 4 1 93 277: 16-17) 

- These appliances typically include a secure subsystem that can enable control of content use such as 
displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, distributing, 
auditing usage, etc.( 4 193 9:24-27) 

- VDE provides a secure* distributed electronic transaction management system for controlling the 
distribution and/or other usage of electronically provided and/or stored information. ('193 9:36-39) 

- M The doctor 5000 may then send container 301(1) to a trusted go-between 4700. ...For example, the 
trusted go-between 4700 in one example has no access to the content of the container 302(1), but does 
have a record of a seal of the contents." ('683 53:40) 

- "FIG. 1 1 6 shows example steps that may be performed by PPE 650 in response to an "open" or 
"view" event In this example, PPE 650 may • - upon allowing recipient 4056 to actually interact with 
the hem 4054-.. .PPE 650 may then release the image 40681 and/or the data 4Q68D to the application 
running on electronic appliance 600 — electronic fingerprinting or watermarking the released content if 
appropriate (FIG. 1 16, block 4625C). ('683 42:38) , 

- FIG. 5 A shows how the virtual distribution environment 100, in a preferred embodiment, may 
package infonnatioD elements (content) into a "container* 302 so the information can't be accessed 
except as provided by its "rules and controls." CI 93 58:39-43) 

- Each VDE participant in a VDE pathway of content control information may set methods for some or 
all of the content in a VDE container, so long as such control information does not conflict with senior 
control information already in place with respect to: 

(!) certain or all VDE managed content, 

(2) certain one or more VDE users anaYor groupings of users, 

(3) certain one or more VDE nodes anaVor groupings of nodes, and/or 

(4) certain one or more VDE applications and/or arrangements. CI 93 44:6-17) 

- "All participants of VDE 100 have the innate ability to participate in any role." (' 193 256:50-51) 

- "Any VDE user 1 1 2 may assign the right to process information or perform services on their behalf 
to the extend allowed by senior control information.** (M93 257:17-20) 

- "PERC and URT structures provide a mechanism that may be used to provide precise electronic 

representation of rights and the controls associated with those rights. VDE thus provides a 
"vocabulary** and mechanism by which users and creators may specify their desires.** ('193 
245:11-) 

- "VDE provides comprehensive and configurable transaction management, metering and monitoring 
technology.** C 193 3:34) 

- VDE may be combined with, or integrated into, many separate computers and/or other electronic 
appliances. These appliances typically include a secure subsystem that can enable control of content use 
such as displaying, encrypting, decrypting, printing, copying, saving, extracting, embedding, 
distributing, auditing usage, etc. The secure subsystem in the preferred embodiment comprises one or 
more "protected processing environments", one or more secure databases, and secure "component 
assemblies" and other items and processes that need to be kept secured. VDE can, for example, securely 
control electronic currency, payments, and/or credit management (including electronic credit and/or 
currency receipt, disbursement, encumbering, and/or allocation) using such a "secure subsystem." ('193 
9:22) 

- "In addition VDE: 

(a) is very configurable, modifiable, and re-usable; 

(b) supports a wide range of useful capabilities that may be combined in different ways to 
accommodate most potential applications; 

(c) operates on a wide variety of electronic appliances ranging from hand-held inexpensive devices to 
large mainframe computers; 
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(d) is able 10 ensure the various rights of a number of different parties, and a number of different rights 
protection schemes, simultaneously; 

(e) is able to preserve the rights of parties through a series of transactions that may occur at different 
times and different locations; 

(f) is able to flexibly accommodate different ways of securely delivering information and reporting 
usage; and 

(g) provides for electronic analogues to "real" money and credit, including anonymous electronic cash, 
to pay for products and services and to support personal (including home) banking and other financial 
activities/' C 193 4:57) 

- It can provide efficient, reusable, modifiable, and consistent means for secure electronic content: 
distribution, usage control, usage payment, usage auditing, and usage reporting. ('193 8:26) 

- VDE offers an architecture that avoids reflecting specific distribution biases, administrative and 
control perspectives, and content types. Instead, VDE provides a broad-spectrum, fundamentally 
configurable and portable, electronic transaction control, distributing, usage, auditing, reporting, and 
payment operating environment ('193 8:53) 

- The present invention allows content providers and users to formulate their transaction environment 
to accommodate: 

(1) desired content models, content control models, and content usage information pathways, 

(2) a complete range of electronic media and distribution means, 

(3) a broad range of pricing, payment, and auditing strategies, 

(4) very flexible privacy and/or reporting models, 

(5) practical and effective security architectures, and 

(6) other administrative procedures that together with steps (1) through (5) can enable most "real world" 
electronic commerce and data security models, including models unique to the electronic world. (* 193 
10:11) 

- Because of the breadth of issues resolved by the present invention, it can provide the emerging 
"electronic highway" with a single transaction/distribution control system that can, for a very broad 
range of commercial and data security models, ensure against unauthorized use of confidential and/or 
proprietary information and commercial electronic transactions. 0193 17:22) 

- M A feature of the present invention provides for payment means supporting flexible electronic 
currency and credit mechanisms, including the ability to securely maintain audit trails reflecting 
information related to use of such currency or credit ' ( l 193 33:58) 

- ,k the end-to-end nature of VDE applications, in which content 108 flows in one direction, generating 
reports and bills 1 1 8 in the other, makes it possible to perform "back-end" consistency checks." ('193 
223:17) 

- By way of non-exhaustive summary, these present inventions provide a highly secure and trusted 
item delivery and agreement execution services providing the following features and functions: 
Trustedness and security approaching or exceeding that of a personal trusted courier. 

Instant or nearly instant delivery. 

Optional delayed delivery ("store and forward"). 

Broadcasting to multiple parties. 

Highly cost effective. 

Trusted validation of item contents and delivery. 

Value Added Delivery and other features selectable by the sender and/or recipient. 
Provides electronic transmission trusted auditing and validating. 
Allows people to communicate quickly, securely, and confidentially. 

Communications can later be proved through reliable evidence of the communications transaction- 
providing non-repudiatable, certain, admissible proof that a particular communications transaction' 
occurred. 

Provides non-repudiation of use and may record specific forms of use such as viewing, editing, 
extracting, copying, redistributing (including to what one or more parties), and/or saving. 
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Supports persistent rights and rules based document workflow management at recipient sites. 
System may operate on the Internet, on internal organization and/or corporate networks ("intranets" 
irrespective of whether they use or offer Internet services internally), private data networks and/or using 
any other form of electronic communications. 

System may operate in non-networked and/or intermittently networked environments. 
Legal contract execution can be performed in real time, with or without face to face or ear-to-ear 
personal interactions (such as audiovisual teleconferencing, automated electronic negotiations, or any 
combination of such interactions) for any number of distributed individuals and/or organizations using 
any mixture of interactions. 

The items delivered and/or processed may be any "object" in digital format, including, but not limited 
to, objects containing or representing data types such as text, images, video, linear motion pictures in 
digital format, sound recordings and other audio information, computer software, smart agents, 
multimedia, and/or objects any combination of two or more data types contained within or representing 
a single compound object 

Content (executables for example) delivered with proof of delivery and/or execution or other use. 
Secure electronic containers can be delivered. The containers can maintain control, audit, receipt and 
other information and protection securely and persistently in association with one or more items. 
Trust edn ess provides non-repudiation for legal and other transactions. 

Can handle and send any digital information (for example, analog or digital information representing 

text, graphics, movies, animation, images, video, digital linear motion pictures, sound and sound 

recordings, still images, software computer programs or program fragments, executables, data, and 

including multiple, independent pieces of text; sound clips, software for interpreting and presenting 

other elements of content, and anything else that is electronically representable). 

Provides automatic electronic mechanisms that associate transactions automatically with other 

transactions. 

System can automatically insert or embed a variety of visible or invisible "signatures" such as images 
of handwritten signatures, seals, and electronic "fingerprints" indicating who has "touched" (used or 
other interacted with in any monitorable manner) the item. 

System can affix visible seals on printed items such as documents for use both in encoding receipt and 
other receipt and/or usage related information and for establishing a visible presence and impact 
regarding the authenticity, and ease of checking the authenticity, of the item. 

Seals can indicate who originated, sent, received, previously received and redistributed, electronically 
view, anaVor printed and/or otherwise used the item. 

Seals can encode digital signatures and validation information providing time, location, send and/or 

other information and/or providing means for item authentication and integrity check. 

Scanning and decoding of item seals can provide authenticity/integrity check of entire item(s) or part of 

an item (e.g., based on number of words, format, layout, image-picture and/or test-composition, etc.). 

Seals can be used to automatically associate electronic control sets for use in further item handling. 

System can hide additional information within the item using "stenanograpby" for later retrieval and 

analysis. 

Steganography can be used to encode electronic fingerprints and/or other information into an item to 
prevent deletion. 

Multiple stenanographic storage of the same fingerprint information may be employed reflecting 
"more" public and "less" public modes so that a less restricted steganographic mode (different 
encryption algorithm, keys, and/or embedding techniques) can be used to assist easy recognition by an 
authorized party and a more private (confidential) mode may be readable by only a few parties (or only 
ODe party) and comprise of the less restricted mode may not affect the security of the more private 
mode. 

Items such as documents can be electronically, optically scanned at the sender's end-and printed out in 
original, printed form at the recipient's end. 

Document handlers and processors can integrate document scanning and delivery. 

Can be directly integrated into enterprise and Internet (and similar network) wide document workflow 

systems and applications. 

Secure, tamper-resistant electronic appliance, which may employ VDE SPUs, used to handle items at 
both sender and recipient ends. 
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"Original" item(s) can automatically be destroyed at the sender's end and reconstituted at the recipient's 
end to prevent two originals from existing simultaneously. 

Secure, non-repudiable authentication of the identification of a recipient before delivery using any 
number of different authentication techniques including but not limited to biometric techniques (such as 
palm print scan, signature scan, voice scan, retina scan, iris scan, biometric fingerprint and/or handprint 
scan, and/or face profile) and/or presentation of a secure identity "token." 

Non-repudiation provided through secure authentication used to condition events (e.g., a signature is 
affixed onto a document only if the system securely authenticates the sender and her intention to agree 
to its contents). 

Variety of return receipt options including but not limited to a receipt indicating who opened a 
document, when, where, and the disposition of the document (stored, redistributed, copied, etc.). These 
receipts can later be used in legal proceedings and/or other contexts to prove hern delivery, receipt 
and/or knowledge. 

Audit, receipt, and other information can be delivered independently from item delivery, and become 

securely associated with an item within a protected processing environment. 

Secure electronic controls can specify how an item is to be processed or otherwise handled (e.g., 

document can't be modified, can be distributed only to specified persons, collections of persons, 

organizations, can be edited only by certain persons and/or in certain manners, can only be viewed and 

will be "destroyed" after a certain elapse of time or real time or after a certain number of handlings, 

etc.) 

Persistent secure electronic controls can continue to supervise item workflow even after it has been 
received and "read." 

Use of secure electronic containers to transport items provides an unprecedented degree of security, 
trustedness and flexibility. 

Secure controls can be used in conjunction with digital electronic certificates certifying as to identity, 
class (age, organization membership, jurisdiction, etc.) of the sender and/or receiver and/or user of 
communicated information. 

Efficiently handles payment and electronic addressing arrangements through use of support and 
administrative services such as a Distributed Commerce Utility as more fully described in the 
copending Shear, et al. application. 

Compatible with use of smart cards, including, for example, VDE enabled smart cards, for secure 
personal identification and/or for payment 

Transactions may be one or more component transactions of any distributed chain of handling and 
control process including Electronic Data Interchange (EDI) system, electronic trading system, 
document workflow sequence, and banking and other financial communication sequences, etc. ('683 
6:18) 

- "Content providers and distributors have devised a number of limited function rights protection 

mechanisms to protect their rights. Authorization passwords and protocols, license servers, 
"lock/unlock" distribution methods, and non-electronic contractual limitations imposed on users of 
shrink-wrapped software are a few of the more prevalent content protection schemes. In a 
commercial context, these efforts are inefficient and limited solutions." ('900 2:64) 

- "The inability of conventional products to be shaped to the needs of electronic information providers 
and users is sharply in contrast to the present invention. Despite the attention devoted by a cross- 
section of America's largest telecommunications, computer, entertainment and information provider 
companies to some of the problems addressed by the present invention, only the present invention 
provides commercially secure, effective solutions for configurable, general purpose electronic 
commerce transaction/distribution control systems." ('193 2:13) 

- "The features of VDE allow it to function as the first trusted electronic information control 
environment that can conform to, and support, the bulk of conventional electronic commerce and data 
security requirements. In particular, VDE enables the participants in a business value chain model to 
create an electronic version of traditional business agreement terms and conditions and further enables 
these participants to shape and evolve their electronic commerce models as they believe appropriate to 
their business requirements.*' ('193 8:43) 
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- An objective of VDE is supporting a transaction/distribution control standard. Development of such a 
standard has many obstacles, given the security requirements and related hardware and communications 
issues, widely differing environments, information types, types of information usage, business and/or 
data security goals, varieties of participants, and properties of delivered information. A significant 
feature of VDE accommodates the many, varying distribution and other transaction variables by, in 
part, decomposing electronic commerce and data security functions into generalized capability modules 
executable within a secure hardware SPU and/or corresponding software subsystem and further 
allowing extensive flexibility in assembling, modifying, and/or replacing, such modules (e.g. load 
modules and/or methods) in applications run on a VDE installation foundation. This configurability and 
reconflgurabiliry allows electronic commerce and data security participants to reflect their priorities and 
requirements through a process of iteranvely shaping an evolving extended electronic agreement 
(electronic control model). (*193 15:66) 

- Some of the key factors contributing to the configurability intrinsic to the present invention include: 

(a) integration into the fundamental control environment of a broad range of electronic appliances 
through portable API and programming language tools that efficiently support merging of control and 
auditing capabilities in nearly any electronic appliance environment while maintaining overall system 
security; 

(b) modular data structures; 

(c) generic content model; 

(d) general modularity and independence of foundation architectural components; 

(e) modular security structures; 

(f) variable length and multiple branching chains of control; and 

(g) independent, modular control structures in the form of executable load modules that can be 
maintained in one or more libraries, and assembled into control methods and models, and where such 
model control schemes can "evolve" as control information passes through the VDE installations of 
participants of a pathway of VDE content control information handling. ('1 93 1 6:66) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, ... provide mechanisms that allow control information to "evolve" and be 
modified according, at least in part, to independently, securely delivered further control information. ... 
Handlers in a pathway of handling of content control information, to the extent each is authorized, can 
establish, modify, and/or contribute to, permission, auditing, payment, and reporting control 
information related to controlling, analyzing, paying for, and/or reporting usage of, electronic conient 
and/or appliances (for example, as related to usage of VDE controlled property content) " ('193 21:43, 
29:21) 

- "Summary of Some Important Features Provided by VDE in Accordance With the Present Invention: 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, ... enable a user to securely extract, through the use of the secure subsystem at 
the user's VDE installation, at least a portion of the content included within a VDE content container to 
produce a new, secure object (content container), such that the extracted information is maintained in a 
continually secure manner through the extraction process." ('193 21:43 31:66) 

- "As with the content control information for most VDE managed content, features of the present 
invention allows [sic] the content's control information to: (a) "evolve," for example, the extractor of 
content may add new control methods and/or modify control parameter data, such as VDE application 
compliant methods, to the extent allowed by the contents in-place control information. ...(b) allow a 
user to combine additional content with at least a portion of said extracted content, ...(c) allow a user 
to securely edit at least a portion of said content while maintaining said content in a secure form within 
said VDE content container, ... (d) append extracted content to a pre-existing VDE content container 
object and attach associated control information ...(e) preserve VDE control over one or more portions | 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 68 of 100 



Claim Term 



MS Construction 



of extracted content after various forms of usage of said portions ... Generally, the extraction features 
of the present invention allow users to aggregate and/or disseminate and/or otherwise use protected 
electronic content information extracted from content container sources while maintaining secure VDE 
capabilities thus preserving the rights of providers in said content information after various content 
usage processes." ('193 32:27) 

- The secure component based architecture of ROS 602 has important advantages. For example, it 
accommodates limited resource execution environments such as provided by a lower cost SPU 500. It 
also provides an extremely high level of configurability. In fact, ROS 602 will accommodate an almost 
unlimited diversify of content types, content provider objectives, transaction types and client 
requirements. In addition, the ability to dynamically assemble independently deliverable components at 
execution time based on particular objects and users provides a high degree of flexibility, (* 1 93 87:63) 

- "Each logical object structure 800 may also include a "private body" 806 containing or referencing a 
set of methods 1000 (i.e., programs or procedures) that control use and distribution of the object 300. 
The ability to optionally incorporate different methods 1000 with each object is important to making 
VDE 1 00 highly configurable." (* 1 93 1 28:25) 

- "VDE methods 1 000 are designed to provide a very flexible and highly modular approach to secure 
processing." (' 193 181:17) 

- "The reusable functional primitives of VDE 100 can be flexibly combined by content providers to 
reflect their respective distribution objectives." (* 193 255:27) 

- the present invention truly achieves a content control and auditing architecture that can be configured 
to most any commercial distribution embodiment." ('193 261:12) 

- "Adding new content to objects is an important aspect of authoring provided by the present invention. 
Providers may wish to allow one or more users to add, hide, modify, remove and/or extend content that 
they provide. In this way, other users may add value to, alter for a new purpose, maintain, and/or 
otherwise change, existing content. The ability to add content to an empty and/or newly created object 
is important as well" (* 1 93 261 :23) 

- "The distribution control information provided by the present invention allows flexible positive 
control. No provider is required to include any particular control, or use any particular strategy, except 
as required by senior control information. Rather, the present invention allows a provider to select from 
generic control components (which may be provided as a subset of components appropriate to a 
provider's specific market, for example, as included in and/or directly compatible with, a VDE 
application) to establish a structure appropriate for a given chain of handling/control." ('193 
297:9)"Importantly, VDE securely and flexibly supports editing the content in, extracting content from, 
embedding content into, and otherwise shaping the content composition of, VDE content containers. 
Such capabilities allow VDE supported product models to evolve by progressively reflecting the 
requirements of "next" participants in an electronic commercial model." (* 193 297:9) 

- "For instance, the user may have an "access" right, and an "extraction" right, but not a "copy" right." 
('193 159:24) 

- "PERCS 808 specify a set of rights that may be exercised to use or access the corresponding VDE 
object 300. The preferred embodiment allows users to "customize" their access rights by selecting a 
subset of rights authorized by a corresponding PERC 808 and/or by specifying parameters or choices 
that correspond to some or all of the rights granted by PERC 808. These user choices are set forth in a 
user rights table 464 in the preferred embodiment User rights table (URT) 464 includes URT records, 
each of which correspond to a user (or group of users). Each of these URT records specific users 
choices for a corresponding VDE object more methods 1 000 for exercising the rights granted to the 
user by the PERC 808 in a way specified by the choices contained within the URT record." (' 1 93 
156:55) 

PERC and URT structures provide a mechanism that may be used to provide precise electronic 
representation of rights and the controls associated with those rights. VDE thus provides a 
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"vocabulary** and mechanism by which users and creators may specify their desires." (' 1 93 245: 10) 

- "Id sum, the present invention allows information contained in electronic information products to be 
supplied according to user specification. Tailoring to user specification allows the present invention to 
provide the greatest value to users, which in turn will generate the greatest amount of electronic 
commerce activity.** (* 1 93 22:66) 

- Function: "Adding new content to objects is an important aspect of authoring provided by the present 
invention. Providers may wish to allow one or more users to add, hide, modify, remove and/or extend 
content that they provide. In mis way, other users may add value to, alter for a new purpose, maintain, 
and/otherwise change, existing content The ability to add content to an empty and/or newly created 
object is important as well.** (' 1 93 26 1 :23) 

- Function: "Each logical object structure 800 may also include a "private body" 806 containing or 
referencing a set of method 1 000 (i.e., programs or procedures) that control use and distribution of the 
object 300. The ability to optionally incorporate different methods 1000 with each object is important 
to making VDE 100 highly configurable." ('193 128:25) 

- Function: "An important aspect of adding or modifying content is the choice of encryption/decryption 
keys and/or other relevant aspects of securing new or altered content" ( 4 193 262:21) 

- Function: "Importantly, VDE securely and flexibly supports editing the content in, extracting content 

from, embedding content into, and otherwise shaping the content composition of, VDE content 
containers" ('193 297:9) 

- VDE also features fundamentally important capabilities for managing content that travels "across" the 
"information highway." These capabilities comprise a rights protection solution that serves all 
electronic community members. These members include content creators and distributors, financial 
service providers, end-users, and others. VDE is the first general purpose, configurable, transaction 
control/rights protection solution for users of computers, other electronic appliances, networks, and the 
information highway." ('193 2:27) 

- VDE provides a unified solution that allows all content creators, providers, and users to employ the 
same electronic rights protection solution. ('193 5:17) 

- "Since different groups of components can be put together for different applications, the present 
invention can provide electronic control information for a wide variety of different products and 
markets. This means the present invention can provide a "unified," efficient, secure, and cost-effective 
system for electronic commerce and data security. This allows VDE to serve as a single standard for 
electronic rights protection, data security, and electronic currency and banking." (M93 7:6) 

- "Employing VDE as a general purpose electronic transaction/distribution control system allows users 
to maintain a single transaction management control arrangement on each of their computers, networks, 
communication nodes, and/or other electronic appliances. Such a general purpose system can serve the 
needs of many electronic transaction management applications without requiring distinct, different 
installations for different purposes. As a result, users of VDE can avoid the confusion and expense and 
other inefficiencies of different, limited purpose transaction control applications for each different 
content and/or business model. For example, VDE allows content creators to use the same VDE 
foundation control arrangement for both content authoring and for licensing content from other content 
creators for inclusion into their products or for other use. Clearinghouses, distributors, content creators, 
and other VDE users can all interact, both with the applications running on their VDE installations, and 
with each other, in an entirely consistent manner, using and reusing (largely transparently) the same 
distributed tools, mechanisms, and consistent user interfaces, regardless of the type of VDE activity.** 
CI 93 11:38) 

- An objective of VDE is supporting a transaction/distribution control standard. (* 193 55:66) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention.... The design of the VDE foundation, VDE load modules, and VDE containers, are 
important features that enable the VDE node operating environment to be compatible with a very broad 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 70 of 100 



Claim Term 


MS Construction 




range of electronic appliances. The ability, for example, for control methods based on load modules to 
execute in very "small " and inexpensive secure sub-system environments, such as environments with 
very little read/write memory, while also being able to execute in large memory sub-systems that may 
be used in more expensive electronic appliances, supports consistency across many machines. This 
consistent VDE operating environment, including its control structures and container architecture, 
enables the use of standardized VDE content containers across a broad range of device types and host 
operating environments. Since VDE capabilities can be seamlessly integrated as extensions, additions, 
and/or modifications to fundamental capabilities of electronic appliances and host operating systems, 
VDE containers, content control information, and the VDE foundation will be able to work with many 
device types and these device types will be able to consistently and efficiently interpret and enforce 
VDE control information. (' 1 93 2jgj& 34:26) 

- This rationalization stems from the reusability of control structures and user interfaces for a wide 
variety of transaction management related activities. As a result, content usage control, data security, 
information auditing, and electronic financial activities, can be supported with tools that are reusable, 
convenient, consistent, and familiar, In addition, a rational approach-a transaction/distribution control 
standard-allows all participants in VDE the same foundation set of hardware control and security, 
authoring, administration, and management tools to support widely varying types of information, 
business market model, and/or personal objectives .('193 1 1:26) 

- Because of the breadth of issues resolved by the present invention, it can provide the emerging 
"electronic highway" with a single transaction/distribution control system that can, for a very broad 
range of commercial and data security models, ensure against unauthorized use of confidential and/or 
proprietary information and commercial electronic transactions. VDE's electronic transaction 
management mechanisms can enforce the electronic rights and agreements of all parties participating in 
widely varying business and data security models, and this can be efficiently achieved through a single 
VDE implementation within each VDE participant's electronic appliance. VDE supports widely varying 
business and/or data security models that can involve a broad range of participants at various "levels" of 
VDE content and/or content control information pathways of handling. Different content control and/or 
auditing models and agreements may be available on the same VDE installation. These models and 
agreements may control content in relationship to, for example, VDE installations and/or users in 
general; certain specific users, installations, classes and/or other groupings of installations andVor users; 
as well as to electronic content generally on a given installation, to specific properties, property 
portions, classes and/or other groupings of content.( 4 193 17.22) 

- "the present invention's trusted/secure, universe wide, distributed transaction control and 
administration system." ( 4 1 93 35:66) 

- "Commerce Utility Systems 90 are generalized and programmable..." ('712 67:7) 

- "Providers of "electronic currency" have also created protections for their type of content These 
systems are not sufficiently adaptable, efficient, nor flexible enough to support the generalized use of 
electronic currency. Furthermore, they do not provide sophisticated auditing and control configuration 
capabilities. This means that current electronic currency tools lack the sophistication needed for many 
real- world financial business models. VDE provides means for anonymous currency and for 
""conditionally" anonymous currency, wherein currency related activities remain anonymous except 
under special circumstances.** (* 193 3:10) 

i 1 aujlJUiJal 1>UULC111 JUCUiOllidJlld UllCU JCvjUUC UoCIi IU pUIWlia^C lUUIC ClCLuOnJC Jill Onn3.llOn 

than the user needs or desires. For example, infrequent users of shrink-wrapped software are required to 
purchase a program at the same price as frequent users, even though they may receive much less value 
from their less frequent use. Traditional systems do not scale cost according to the extent or character of 
usage and traditional systems can not attract potential customers who find that a fixed price is too high. 
Systems using traditional mechanisms are also not normally particularly secure. For example, shrink- 
wrapping does not prevent the constant illegal pirating of software once removed from either its 
physical or electronic package." (* 1 93 5:50) 

- "Traditional electronic information rights protection systems are often inflexible and inefficient and 
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may cause a content provider to choose costly distribution channels that increase a products price. In 
general these mechanisms restrict product pricing, configuration, and marketing flexibility. These 
compromises are the result of techniques for controlling information which cannot accommodate both 
different content models and content models which reflect the many, varied requirements, such as 
content delivery strategies, of the model participants. This can limit a provider's ability to deliver 
sufficient overall value to justify a given products cost in the eyes of many potential users. VDE allows 
content providers and distributors to create applications and distribution networks that re flea content 
providers' and users' preferred business models. It offers users a uniquely cost effective and feature rich 
system that supports the ways providers want to distribute information and the ways us en want to use 
such information." ('193 5:36) 

- "VDE does not require electronic content providers and users to modify their business practices and 
persona] preferences to conform to a metering and control application program that supports limited, 
largely fixed functionality [sic]. Furthermore, VDE permits participants to develop business models not 
feasible with non- electronic commerce, for example, involving detailed reporting of content usage 
information, large numbers of distinct transactions at hitherto infeasible low price points, "pass- along" 
control information that is enforced without involvement or advance knowledge of the participants, 
etc." ('193 9:67) 

- "VDE can further be used to enable commercially provided electronic content to be made available to 
users in user defined portions, rather than constraining the user to use portions of content that were 
"predetermined" by a content creator and/or other provider for billing purposes." (' 1 93 11 :66) 

• "The "usage map" concept provided by the preferred embodiment may be tied to the concept of 
"atomic elements." In the preferred embodiment, usage of an object 300 may be metered in terms of 
"atomic elements." In the preferred embodiment, an "atomic element" in the metering context defines a 
unit of usage that is "sufficiently significant" to be recorded in a meter. The definition of what 
constitutes an "atomic element" is determined by the creator of an object 300. For instance, a "byte" of 
information content contained in an object 300 could be denned as an "atomic element," or a record of 
a database could be defined as an "atomic element," or each chapter of an electronically published book 
could be defined as an "atomic element"" ('193 144:53) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present Invention. 
VDE employs a variety of capabilities that serve as a foundation for a general purpose, sufficiently 
secure distributed electronic commerce solution. VDE enables an electronic commerce marketplace that 
supports divergent, competitive business partnerships, agreements, and evolving overall business 
models. For example, VDE includes features that: support dynamic user selection of information 
subsets of a VDE electronic information product (VDE controlled content). This contrasts with the 
constraints of having to use a few high level individual, pre-defined content provider information 
increments such as being required to select a whole information product or product section in order to 
acquire or otherwise use a portion of such product or section. VDE supports metering and usage control 
over a variety of increments (including "atomic" increments, and combinations of different increment 
types) that are selected ad hoc by a user and represent a collection of pre-identified one or more 
increments (such as one or more blocks of a preidenufied nature, e.g., bytes, images, logically related 
blocks) that form a generally arbitrary, but logical to a user, content "deliverable." VDE control 
information (including budgeting, pricing and metering) can be configured so that it can specifically 
apply, as appropriate, to ad hoc selection of different, unanticipated variable user selected aggregations 
of information increments and pricing levels can be, at least in part, based on quantities and/or nature of 
mixed increment selections (for example, a certain quantity of certain text could mean associated 
images might be discounted by 15%; a greater quantity of text in the "mixed" increment selection might 
mean the images are discounted 20%). Such user selected aggregated information increments can 
reflect the actual requirements of a user for information and is more flexible than being limited to a 
single, or a few, high level, (e.g. product, document, database record) predetermined increments. Such 
high level increments may include quantities of information not desired by the user and as a result be 
more costly than the subset of information needed by the user if such a subset was available. In sum, 
the present invention allows information contained in electronic information products to be supplied 
according to user specification. Tailoring to user specification allows the present invention to provide 
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the greatest value to users, which in turn will generate the greatest amount of electronic commerce 
activity. The user, for example, would be able to define an aggregation of content derived from various 
portions of an available content product, but which, as a deliverable for use by the user, is an entirely 
unique aggregated increment. The user may, for example, select certain numbers of bytes of 
information from various portions of an information product, such as a reference work, and copy them 
to disc in unencrypted form and be billed based on total number of bytes plus a surcharge on the 
number of "articles" that provided the bytes. A content provider mightreasonably charge less for such a 
user defined information increment since the user does not require all of the content from all of the 
articles that contained desired information. ('193 21:43, 2232) 

- Summary of Some Important Features Provided by VDE in Accordance With the Present 
Invention.... Differing models for billing, auditing, and security can be applied to the same piece of 
electronic information content and such mrTering sets of control information may employ, for control 
purposes, the same, or differing, granularities of electronic information control increments. 093 21:4% 
28:23)) 

- "The VDE templates, classes, and control structures are inherently flexible and configurable to 
reflect the breadth of information distribution and secure storage requirements, to allow for efficient 
adaptation into new industries as they evolve, and to reflect the evolution and/or change of an existing 
industry and/or business, as well as to support one or more groups of users who may be associated with 
certain permissions and/or budgets and object types. The flexibility of VDE templates, classes, and 
basic control structures is enhanced through the use of VDE aggregate and control methods which have 
a compound, conditional process impact on object control. Taken together, and employed at times with 
VDE administrative objects and VDE security arrangements and processes, the present invention truly 
achieves a content control and auditing architecture that can be configured to most any commercial 
distribution embodiment. Thus, the present invention fully supports the requirements and biases of 
content providers without forcing them to fit a predefined application model. It allows them to define 
the rights, control information, and flow of their content (and the return of audit information) through 
distribution channels " (' 1 93 260:66) 

- VDE also extends usage control information to an arbitrary granular level (as opposed to a file based 
level provided by traditional operating systems) and provides flexible control information over any 
action associated with the information which can be described as a VDE controlled process." (*193 
275:8) 

- "The situation is no better for processing documents within the context of ordinary computer and 
network systems. Although said systems can enforce access control information based on user identity, 
and can provide auditing mechanisms for tracking accesses to files, these are low-level mechanisms 
that do not permit tracking or controlling the flow of content In such systems, because document 
content can be freely copied and manipulated, it is not possible to determine where document content 
has gone, or where it came from. In addition, because the control mechanisms in ordinary computer 
operating systems operate at a low level of abstraction, the entities they control are not necessarily the 
same as those that are manipulated by users. This particularly causes audit trails to be cluttered with 
voluminous information describing uninteresting activities." (' 193 281 J2T) 

- "Importantly, VDE securely and flexibly supports editing the content in, extracting content from, 
embedding content into, and otherwise shaping the content composition o£ VDE content containers." 
CI 93 297:9) 

- "The InterTrust DigiBox container model allows and facilitates these and other different container 
uses. It facilitates detailed container customization for different uses, classes of use and/or users in 
order to meet different needs and business models. This customization ability is very important, 
particularly when used in conjunction with a general purpose, distributed rights management 
environment such as described in G inter, et ah Such an environment calls for a practical optimization of 
customizability, including customizability and transparency for container models. This customization 
flexibility has a number of advantages, such as allowing optimization (e.g., maximum efficiency, 
minimum overhead) of the detailed container design for each particular application or circumstance so 
as to allow many different container designs for many different purposes (e.g., business models) to exist 
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at the same time and be used by tbe rights control client (node) on a user electronic appliance such as a 
computer or entertainment device." ('861 2:49) 

- "The node and container model described above and in the G inter et aL patent specification (along 
with similar other DigiBox/VDE (Virtual Distribution Environment) models) has nearly limitless 
flexibility." ( 4 861 2:37) 

Such capabilities allow VDE supported product models to evolve by progressively reflecting 
requirements of "next" participants in an electronic commercial models." (*193 297:12) 

Extrinsic: 

VDE: VDE is the broad name given to a comprehensive system (algorithms, software, and hardware) 
that provides metering, securing, and administration tools for intellectual property. VDE stands for 
"Virtual Distribution Environment." (VDE ROI DEVICE vl .Oa 9 Feb 1994, IT0O0O857O) 

Virtual: Pertaining to a functional unit that appears to be real, but whose functions are accomplished by 
other means. (IBM) 

Environment: 1. The aggregate of external circumstances, conditions, and objects that affect the 
development, operation, and maintenance of a system. 2. In computer security, those factors, both 
internal and external, of an ADP system that help to define the risks associated with its operation 
(Longley) 

Environment: See InterTrust node: A computer that is enabled for processing of DigiBox containers 
by installation of a PPE, which may be either hardware or software based. A node may include 
application software and/or operating system integration. The node is also termed the environment. 
(ITG, 8/21/95, IT00032375, TD00068B) 

InterTrust Commerce Architecture model: A model that defines a general-purpose distributed 
architecture for secure electronic commerce and digital rights management The InterTrust Commerce 
Architecture model includes four key software elements: DigiBox secure containers, InterRights Point 
software with associated protected database, the InterTrust Transaction Authority Framework, and the 
InterTrust Deployment Manager. (ITG, 1 997, MLOOO 1 2 A) 

VDE is a system using secure computing technology to enforce a chain of handling and control 
representing the rights of interested parties. (ITG, 3/7/1995, IT00709616) (see footnote 2) 

\/ir-Mio] TVeti-H-witinfi Pnvrmnmpnt fvnFV A ^et of comDonents that nrotects content and enforces rights 
associated with content. (ITG, 3/7/1 995, IT00709620, see footnote 2) 

Virtual Distribution Environment: or "VDE** shall mean a system which guarantees: (I) that the 
content creators, publishers, and/or distributors of information receive agreed upon fees for the use of, 
and/or records of the use of, electronic content; and/or (ii) that stored and/or distributed information 
will be used only in authorized ways. More particularly, VDE relates to systems for applying controls 
to, and controlling and/or auditing use of, electronically stored and/or disseminated information. 
[License Agreement, National Semiconductor and EPR, 3/18/94, Exhibit 12 to IT 30(b)(6)) 

IT000J 689-96, IT0709785 (VDE on a Page), IT000202-29 


'193:1 


"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 0193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


receiving a 
digital file 
including music 


Intrinsic: 

- "Moreover, when any new VDE object 300 arrives at an electronic appliance 600, the electronic 
appliance must "register" the object within object registry 450 so that it can be accessed." ('193 153:56) 

- "FIGS. 1 14A and 1 14B show an example process 4600 for receiving an item. In this example, 
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electronic appliance 600 that has received an electronic object 300 may first generate a notification to 
PPE 650 that the container has arrived (FIG. 1 14 A, block 4602). PPE 650 may, in response, use the 
dynamic user interaction techniques discussed above to interact with and authenticate the recipient in j 
accordance with the electronic controls 4078 within the received object 300 (FIG. 1 14A block 4603; 
authentication routine shown in FIG. 11 1). Intended recipient 4056 may be given an option of accepting 
or declining delivery of the object (FIG. 1 I4A, block 4604). If intended recipient 4056 accepts the item, 
appliance may store the container 302 locally (FIG. 1 14 A, block 4606) and then generate a "register 
object" event for processing by PPE 650." 

- while grandparent (' 1 07) did not refer to fax transmission or physical mail, it did recite that the 
delivery means could be by "physical storage media" or by transferring "physical things" ('193 3:26, 
K-A 14-71 1R-10 127'6 242*32^ 

"In this example, the trusted electronic go-between between 4700 receives notification thai the 
electronic container 302 has arrived (FIG. 121, block 4752), may store the container locally (FIG. 121, 
block 4754), and opens and authenticates the container and its contents (FIG. 121, block 4756). The 
trusted electonic go-between 4700 may then, if necessary, obtain and locally register any method/rules 
required to intract with secure container 302 (FIG. 121, block 4758)." 

Extrinsic: 


a budget 
specifying the 
number of copies 
which can be 
made of said 
digital file 


Intrinsic: 

- For example, content control information for a given piece of content may be stipulated as senior 
information and therefore not changeable, might be put in place by a content creator and might stipulate 
that national distributors of a given piece of their content may be permined to make 100,000 copies per 
calendar quarter, so long as such copies are provided to bonfire end-users, but may pass only a single 
copy of such content to a local retailers and the control information limits such a retailer to making no 
more than 1,000 copies per month for retail sales to end-users. In addition, for example, an end-user of 
such content might be limited by the same content control information to making three copies of such 
content, one for each of three different computers he or she uses (one desktop computer at work, one for 
a desktop computer at home, and one for a portable computer). (* 193 48:19) 

- "storing a first digital file and a first control in a first secure container, said first control constituting 
a first budget which governs the number of copies which may be made of said first digital file or a ^ 
portion of said first digital file while said first digital file is contained in said first secure container," 
(M93 claim 60) 

- "A certain content provider might, for example, require metering the number of copies made for 
distribution to employees of a given software program (a portion of the program might be maintained in 
encrypted form and require the presence of a VDE installation to run). This would require the execution 
of a metering method for copying of the property each time a copy was made for another employee." 
(•193 20:36) 

- For example, in the earlier example of a user with a desktop and a notebook computer, a provider 

may allow a user to make copies of information necessary to enable the notebook computer based on 

information present in the desktop computer, but not allow any further copies of said information to be 

made by the notebook VDE node. In this example, the distribution control structure described earlier 

would continue to exist on the desktop computer, but the copies of the enabling information passed to 

.nmMitarHfA«ii<4 i-ir-ir tVio r*»rmir/»H H tctriKi \t\ my control *;tnicriire to Derform distribution 

tne noteoooK computer wouio iacK uie rcuuiicu uiouiuuwujx vuuuvi juuuiuh. ^\.**v**»i <-»»~>n iuuuw " 

from the notebook computer. Similarly, a distribution control structure may be provided by a content 

provider to a content provider who is a distributor in which a control structure would enable a certain 

number of copies to be made of a VDE content container object along with associated copies of 

permissions records, but the permissions records would be altered (as per specification of the content 

provider, for example) so as not to allow end-users who received distributor created copies from 

making further copies for distribution to other VDE nodes.(* 193 264:29) 

- "Similarly, a distribution control structure may be provided ... so as not to allow end-users who 
received distributor created copies from making further copies for distribution to other VDE nodes." 
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('193 264:40) 

- SPU 500 is enclosed within and protected by a "tamper resistant security barrier" 502. Security 
barrier 502 separates the secure environment 503 from the rest of the world. It prevents information and 
processes within the secure environment 503 from being observed, interfered with and leaving except 
under appropriate secure conditions. ('193 59:48) 

- " Secure container 302 may also contain an electronic, digital control structure 4078. This control 
structure 4078 (which could also be delivered independently in another container 302 different from the 
one carrying the image 40681 and/or the data 4068D) may contain important information controlling 
use of container 302. For example, controls 4078 may specify who can open container 302 and under 
what conditions the container can be opened. Controls 4078 might also specify who, if anyone, object 
300 can be passed on to. As another example, controls 4078 might specify restrictions on how the 
image 40681 and/or data 4068D can be used (e.g., to allow the recipient to view but not change the 
image and/or data as one example). The detailed nature of control structure 4078 is described in 
connection, for example, with FIGS. 1 1D-1 1J ; FIG. 15 ; FIGS. 17-26B; and FIGS. 41 A-61 (*683 
25:62) u Many objects 300 that are distributed by physical media and/or by "out of channel" means (e.g., 
redistributed after receipt by a customer to another customer) might not include key blocks 8 1 0 in the 
same object 300 that is used to transport the content protected by the key blocks. This is because VDE 
objects may contain data that can be electronically copied outside the confines of a VDE node. If the 
content is encrypted, the copies will also be encrypted and the copier cannot gain access to the content 
unless she has the appropriate decryption keyfc)." (* 193 128:66) 

Although block 1262 includes encrypted summary services information on the back up, it preferably 
docs nui uicjuuc oru uevjee private acys, snaicu ac^i*, or\j tuuc auu uuici unci uai sccuniy 
information to prevent this information from ever becoming available to users even in encrypted form. 
('193 166:59) 

Extrinsic: 


controlling the 
copies made of 
said digital file 


See above. 


determining 
whether said 
digital file may 
be copied and 
stored on a 
second device 
based on at least 
said copy control 


Intrinsic: 

- "Similarly, a distribution control structure may be provided ... so as not to allow end-users who 
received distributor created copies from making further copies for distribution to other VDE nodes." 
('193 264:40) 

- M As mentioned above, traveling objects enable objects 300 to be distributed "Out-Of-Channel;" that 
is, the object may be distributed by an unauthorized or not explicitly authorized individual to another 
individual "Out of channel" includes paths of distribution that allow, for example, a user to directly 
redistribute an object to another individual For example, an object provider might allow users to 
redistribute copies of an object to their friends and associates (for example by physical delivery of 
storage media or by delivery over a computer network) such that if a friend or associate satisfies any 
certain criteria required for use of said object, he may do so." ('193 131 :53) 

- "In some cases, the extract rights require an exact copy of the PERC 808 associated with the original 
object (or a PERC included for this purpose) to be placed in the new (destination) container ("no" exit 
to decision block 2096)." ( 4 193 194:47) 

- "Metering, billing, and budgeting can allow a provider to enable and limit the copying of a 
permissions record 808." (*193 263:54) 

- "In some circumstances, it may be desirable for a provider to control how administrative processes 
are performed. The provider may choose to include in distribution records stored in secure database 610 
information for use in conjunction with a component assembly 690 that controls and specifies, for 
example, how processing for a given event in relation to a given method and/or record should be 
performed. For example, if a provider wishes to allow a user to make copies of a permissions record- 
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SO 8, she may want to alter the permissions record internally. For example, in the earlier example of a 
user with a desktop and a notebook computer, a provider may allow a user to make copies of 
information necessary to enable the notebook computer based on information present in the desktop 
computer, but not allow any further copies of said information to be made by the notebook VDE node. 
In this example, the distribution control structure described earlier would continue to exist on the 
desktop computer, but the copies of the enabling information passed to the notebook computer would 
lack the required distribution control structure to perform distribution from the notebook computer. 
Similarly, a distribution control structure may be provided by a content provider to a content provider 
who is a distributor in which a control structure would enable a certain number of copies to be made of 
a VDE content container object along with associated copies of permissions records, but the 
permissions records would be altered (as per specification of the content provider, for example) so as 
not to allow end-users who received distributor created copies from making further copies for 
distribution to other VDE nodes." (*193 264:20) 

"Transfer of ownership of a VDE object 300 is a special case in which all of the permissions and/or 
budgets for a VDE object are redistributed to a different PPE 650. Some VDE objects may require that 
all object-related information be delivered (e.g., ifs possible to "sell" all rights to the object). However, 
some VDE objects 300 may prohibit such a transfer." (*193 220:41) 

Extrinsic: 


if said copy 
control allows at 
least a portion of 
said digital file to 
be copied and 
stored on a 
second device 


Intrinsic: 

"Persistence of control includes the ability to extract information from a VDE container object by 
creating a new container whose contents are at least in part secured and that contains both the extracted 
content and at least a portion of the control information which control information of the original 
container and/or are at least in part produced by control information of the original container for this 
purpose and/or VDE installation control information stipulates should persist and/or control usage of 
content in the newly formed container " ('193 28:50) 

"enable a user to securely extract, through the use of the secure subsystem at the user's VDE 
installation, at least a portion of the content included within a VDE content container to produce a new, 
secure object (content container), such that the extracted information is maintained in a continually 
secure manner through the extraction process. Formation of the new VDE container containing such 
extracted content shall result in control information consistent with, or specified by, the source VDE 
content container, and/or local VDE installation secure subsystem as appropriate, content control 
information. Relevant control information, such as security and administrative information, derived, at 
least in part, from the parent (source) object's control information, will normally be automatically 
inserted into a new VDE content container object containing extracted VDE content This process 
typically occurs under the control framework of a parent object and/or VDE installation control 
information executing at the user's VDE installation secure subsystem (with, for example, at least a 
portion of this inserted control information being stored securely in encrypted form in one or more 
permissions records)." (' 1 93 3 1 :66) - 

Extrinsic: 


i*upyuig hi jc-clm a 

portion of said 
digital file 


III U UlOiV* • 

"Usage map meters are thus an efficient means for referencing prior usage. They may be used to enable 
certain VDE related security functions such as testing for contiguousness (including relative 
contiguousness), logical relatedness (including relative logical relatedness), usage randomization, and 
other usage patterns. For example, the degree or character of the "randomness" of content usage by a 
user might serve as a potential indicator of attempts to circumvent VDE content budget limitations. A 
user or groups of users might employ multiple sessions to extract content in a manner which does not 
violate contiguousness, logical relatedness or quantity limitations, but which nevertheless enables 
reconstruction of a material portion or all of a given, valuable unit of content Usage maps can be 
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analyzed to determine other pan ems of usage for pricing such as, for example, quantity discounting 
after usage of a certain quantity of any or certain atomic units, or for enabling a user to reaccess an 
object for which the user previously paid for unlimited accesses (or unlimited accesses over a certain 
time duration). Other useful analyses might include discounting for a given atomic unit for a plurality 
ofuses. M ri93 146:54) 

Extrinsic: 


transferring at 
least a portion of 
said digital file to 
a second device 


Intrinsic: 

- "In this case, these users may still be able to transfer some or all usage rights to another electronic 
appliance 600, and/or they may be permitted to move some of their rights to another electronic 
appliance, if such transferring and/or moving is permitted by the usage permissions received from the 
repository 200g. w (* 1 93 3 1 7: 12) 

- "A result of processing the distribute event within the BUDGET method might be a secure 
communicauon (1454) between VDE nodes 102 and 106 by which a budget granting use and 
redistribute rights to the distributor 106 may be transferred from the creator 102 to the distributor w 
0193 173:1) 

"VDE securely managed content (e.g. through the use of a VDE aware application or operating system 
having extraction capability) may be identified for extraction from each of one or more locations within 
one or more VDE content containers and may then be securely embedded into a new or existing VDE 
content container through processes executing VDE controls in a secure subsystem PPE 650." (* 193 
303 '26) 

Extrinsic: 


storing said 
digital file 


See above. 


4 193:11 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 0193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


receiving a 
digital file 


See above. 


determining 
whether said 
digital file mav 
be copied and 
stored on a 
second device 
based on said 
first control 


See above. 


identifying said 
second device 


See above. 


whether said first 
control allows 


See above. 
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transfer of said 
copied file to 
said second 
device 




said 

determination 
based at least- in 
part on the 
features present 
at the device 


Intrinsic: 

- "The software-based tamper resistant barrier 674 provided by HPE 655 may be provided, for 
example, by: ... using a map of defects on a storage device (e.g., a hard disk, memory card, etc.) to 
form internal test values to impede moving and/or copying HPE 655 to other electronic appliances 600" 
(M93 80:40) 

The degree of trustedness of a VDE arrangement will be primarily based on whether hardware SPUs 
are employed at participant location secure subsystems and the effectiveness of the SPU hardware 
security architecture, software security techniques when an SPU is emulated in software, and the 
encryption algorithm(s) and keys that are employed for securing content, control information, 
communications, and access to VDE node (VDE installation) secure subsystems." ('193 45:52) 

"Independent claim 122 recites "determining step including identifying said second device and 
determining whether said first control allows transfer of said copied file to said device, said 
determination based at least in part on the features present at the device to which said copied file is to 
be transferred" which distinguishes over Lofberg which provides for determination of the 
identification of a second device (the user station) but dies [sic] not provide for basing the 
determination at least in part on the features present at the device to which the copied file is to be 
transferred." 

"At the terminal TERM the personal data carrier ID is used for the input of customer identification 
information, for example an account number or a corresponding information. Simultaneously, the time 
of rent and a programme identification information is supplied to the terminal " 
(Lofberg, U.S. Pat No. 4,595,950, 12:51-56) 

09/208,017 C193), Examiner's Supplemental Notice of Allowability, 1 1/06/00, p. 2 (MSI026638) 
Extrinsic: 


if said first 
control allows at 
least a portion of 
said digital file to 
be copied and 
stored on a 
second device 


See above. 


copying at least a 

TWtirvn of *iaid 

digital file 


See above. 


transferring at 
least a portion of 
said digital file to 
a second device 


See above. 


storing said 
digital file 


See above. 


M93:15 


"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 093), Examiner's Amendment, 08/04/00, p. 2 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 79 of 100 



Claim Term 


MS Construction 




See "Virtual Distribution Environment" above. 


I CCCJVLUg O 

digital file 




an authentication 
step comprising: 


Intrinsic: 

"The secure subsystems at said user nodes utilize a protocol that establishes and authenticates each 
node's and/or participant's identity" (* J 93 1 2:35) 

Extrinsic: 


accessing at least 
one identifier 
associated with a 
first device or 
with a user of 
said first device 


Intrinsic: 

- "a stipulation that the traveling object may be used on certain one or more installations or 
installation classes or users or user classes where classes correspond to a specific subset of installations 
or users who are represented by a predefined class identifiers stored in a secure database 610" ( 4 193 
131:40) 

- "Thus, if the user had a VDE node, the user might be able to use the traveling object ... if he or his 
VDE node belonged to a specially authorized group of users or installations" (* 193 132: 13) 

- "A traveling object might register its user within itself and thereafter only be useable by that one 
user." (' 193 133:43) 

- "Administrative objects, for example, may increase or otherwise adjust budgets and/or permissions 
of the receiving VDE node to which the administrative object is being sent." (' 3 93 135:21 ) 

- "This metering process may ... record the VDE node name, user name, associated object 
identification information, time, date, and/or other identification information. Some or all of this 
information can become part of audit information securely reported by a clearinghouse or distributor.... 
For each metered one or more permissions records (or set of records) that were created for a certain user 
(and/or VDE node) to manage use of certain one or more VDE objects) and/or to manage the creation 
of VDE object audit reports, it may be desirable that an auditor receive corresponding audit information 
incorporated into an, at least in part, encrypted audit report." (*193 273:58) 

- "provide very flexible and extensible user identification according to individuals, installations, by 
groups such as classes" (* 1 93 25:3 1) 

"During the same or different communication session, the terminal could similarly, securely 
communicate back to the portable appliance 2600 VDE secure subsystem details as to the retail 
transaction (for example, what was purchased and price, the retail establishment's digital signature, the 
retail terminal's identifier, tax related information, etc.)." ('193 233:35) 

Extrinsic: 

"User Authentication: The [Database Management System] can require rigrous user authentication. For 
example, a DBMS might require a user to pass both specific password and time-of-day checks." 
(Pfieeger, p.307) 


determining 
whether said 
identifier is 
associated with a 
device and/or 
user authorized 
to store said 
digital file 


See above. 


storing said 
digital file in a 
first secure 
memory of said 
first device, but 


Intrinsic: 

Claims 91 and 132, as added with this Preliminary Amendment 
"91. A method comprising: 
receiving a digital file; 
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only if said 
device and/or 
user is so 
authorized, but 
Dot proceeding 
with said storing 
if said device • 
and/or user is not 
authorized 


storing said digital file in a first secure memory of a first device; 

storing information associated with said digital file in a secure database stored on said first 
device, said information including at least one control; 

determining whether said digital file may be copied and stored on a second device based on 
said at least one control; 

if said at least one control allows at least a portion of said digital file to be copied and stored 
on a second device, 

copying at least a portion of said digital file; 

transferring at least a portion of said digital file to a second device including a memory and an 
audio and/or video output; 

storing said digital file in said memory of said second device; and 

rendering said digital file through said output" 
"132. A method as in claim 91, further comprising: 

an authentication step occurring prior to said step of storing said digital file in said memory of 
said first device, said authentication step comprising: 

accessing at least one identifier associated with said first device or with a user of said first 
device; 

determining whether said identifier is associated with a device and/or user authorized to store 
said digital file; and 

proceeding with said storing step if said device and/or user is so authorized, but not proceeding 
with said step if said device and/or user is not authorized" 

09/208,017 C193), Preliminary Amendment, 12/09/98, p. 1-2, 12 

"Claims ... 132-134 ... are objected to as being dependent upon a rejected base claim, but would be 
allowable if rewritten in independent form including all of the limitations of the base claim and any 
intervening claims." 

09/208,017 ('193), Office Action, 06/07/00, p. 4-5 

"132. (Amended) A method [as in claim 91, further ] comprising: 
receiving a digital file; 

an authentication step [occurring prior to said step of storing said digital file in said memory of 
said first device, said authentication step] comprising: 

accessing at least one identifier associated with a [said] first device or with a user of said first 
device; and 

determining whether said identifier is associated with a device and/or user authorized to store 
said digital file; [and proceeding with said storing step]; 

storing said digital file in a first secure memory of said first device, but only [proceeding with 
said storing step] if said device and/or user is so authorized, but not proceeding with said storing [step] 
if said device and/or user is not authorized; 

storing information associated with said digital file in a secure database stored on said first 
device, said information including at least one control; 


determining whether said digital file may be copied and stored on a second device based on 
said at least one control; 

if said at least one control allows at least a portion of said digital file to be copied and stored 
on a second device, 

copying at least a portion of said digital file; 

transferring at least a portion of said digital file to a second device including a memory and an 
audio and/or video output; 

storing said digital file in said memory of said second device; and 
rendering said digital file through said output." 

(pg. 5-6) 

"The examiner also objected to claims ... 132-134, ... as dependent upon a rejected base claim (OA, 
T[5). With this Amendment, Applicants have amended the above-mentioned claims to an independent 
form including all the limitations of the rejected base claim and any intervening claims per the 
Examiner's suggestion." 
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(pg.22) 

09/208,037 093), Amendment, 08/04/00, p. 5-6, 22 
Extrinsic: 


storing 
information 
associated with 
said digital file in 
a secure database 
stored on said 
first device, said 
information 
including at least 
one control 


See above. 


determining 
whether said 
digital file may 
be copied and 
stored on a 
second device 
based on said at 
least one control 


See above. 


if said at least 
one control 
allows at least a 
portion of said 
digital file to be 
copied and stored 
on a second 
device, 


See above. 


copying at least a 
portion of said 
digital file 


See above. 


transferring at 
least a portion of 
said digital file to 
a second device 


See above. 


storing said 
digital file 


See above. 




"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 f 193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


receiving a 
digital file at a 
first device 


See above. 
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establishing 
communication 
between said first 
device and a 
clearinghouse 
located at a 
location remote 
from said first 
device 


Intrinsic: 

W A usage clearinghouse 200c as described above in connection with FIG. 1 A and/or as disclosed in the 
Shear et al. patent disclosure may be used to track the audit information based on event-driven or 
periodic reporting, for example. Audit records could be transmitted to a usage clearinghouse (or to a 
trusted go-between 4700) by an automatic call forwarding transmission, by a supplement call during 
transmission, by period update of audit information, by the maintenance of a constant communication 
line or open network pathway, etc." (*683 37:56) 

Extrinsic: 


using said 
authorization 
information to 
gain access to or 
make at least one 
use of said first 
digital file 


See above. 


receiving a first 
control from said 
clearinghouse at 
said first device 


See above. 


storing said first 
digital file in a 
memory of said 
first device 


See above. 


using said first 
control to 
determine 
whether said first 
digital file may 
be copied and 
stored on a 
second device 


See above. 


if said first 
control allows at 
least a portion of 
said first digital 
file to be copied 
and stored on a 
second device 


See above. 


copying at least a 
portion of said 
first digital file 


See above. 


transferring at 
least a portion of 
said first digital 
file to a second 
device including 
a memory and an 
audio and/or 
video output 


See above. 


storing said first 


See above. 
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digital file 
portion 




'683:2 


Intrinsic: 

"The instant application is one of a series of applications which arc all generally directed to a virtual 
distribution environment." 

09/208,017 (*193), Examiner's Amendment, 08/04/00, p. 2 

See "Virtual Distribution Environment" above. 

Prosecution History of '683 Patent: 

"A comparison of independent claim 7 to Fischer to derive the similarities and differences between the 
claimed invention and the prior art follows. ... claim 7 recites hardware and/or software used for 
transmission of secure containers to other apparatuses and/or for the receipt of secure containers from 
other apparatuses, see column 3 , lines 1 8-24 and column 4, lines 58-69." 

09/221,479 C683), Office Action, 1 1/12/99, 4-5 (IT00065 800-01) 

- Fischer, U.S. Pat No. 5,4 12,7 1 7 : 

"Each terminal, A, B . . . N also includes a conventional IBM communications board (not shown) 
which when coupled to a conventional modem 6, 8, 10, respectively, permits the terminals to transmit 
and receive messages. Each terminal is capable of generating a message performing whatever digital 
signature operations may be required and transmitting the message to any of the other terminals 
connected to communications channel 12 (or a communications network (not shown), which may be 
connected to communications channel 12)." (4:58-69) 


the first secure 
container having 
beerj received 
from a second 
apparatus 


Intrinsic: 

- "Incoming administrative object manager 756 typically maintains records (in concert with SPE 503) 
in secure database 610 (e.g., receiving table 446) that record which objects have been received, objects 
expected for receipt, and other information related to received and/or expected objects.** ( 4 1 93 102:46) 

- REGISTER method 2400 in this "administrative response** mode may prime appropriate audit trails 
(blocks 2460, 2462), and then may unpack the received administrative object and write the associated 
register requests) configuration information into the secure database (blocks 2464, 2466). REGISTER 
method 2400 may then retrieve the administrative request from the secure database and determine 
which response method to run to process the request (blocks 2468, 2470). If the user fails to provide 
sufficient information to register the object, REGISTER method 2400 may fail (blocks 2472, 2474). 
('193 179:23) 

- "Referring to FIG. 1 1 0, appliance 600 may then deliver the secure containers) 302 to the intended 
recipient 4056 and/or to trusted electronic go-between 4700 based upon the instructions of sender 4052 
as now reflected in the electronic controls 4078 associated with the object 300 (FIG. 110, block 4514). 
Such delivery is preferably by way of electronic network 4058 (672), but may be performed by any 
convenient electronic means such as, for example, Internet, Electronic Mail or Electronic Mail 
Attachment, WEB Page Direct, Telephone, floppy disks, bar codes in a fax transmission, filled ovals on 
a form delivered through physical mail, or any other electronic means to provide contact with the 
intended recipient(s)." (*683 40:3 0) 

Extrinsic: 


an aspect of 
access to or use 
of 


See above. 
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the first secure 
container rule 
having been 
received from a 
third apparatus 
different from 
said second 
apparatus 


Intrinsic: 

"[Applicants' independent claims ... require secure delivery of both first and second control items 
originating from someplace other than the appliance where they are used, at least in part, for controlling 
the same process, operation or the like. This feature in combination is not taught or suggested by 
Johnson and/or Rosen." 

08/388,1 07, Amendment, 06/20/97, p. 23 (MSI028847) 

- "Appliance 600 may next, if necessary, obtain and locally register any methods, controls or other 
information required to manipulate object 300 or its contents (FIG. 1 15, block 4607B; see registration 
method shown in FIGS. 43a-d). For example, hem 4054 may be delivered independently of an 
associated control set 4078, where the control set may only be partial, such that appliance 600 may 
require additional controls from permissioning agent 200f (see FIG. 1 A and "rights and permissions 
clearing house" description in the copending Shear et al. patent disclosure) or other archive in order to 
use the hem. n ('683 41 :4) 

- "Secure container 302 may also contain an electronic, digital control structure 4078. This control 
structure 4078 (which could also be delivered independently in another container 302 different from the 
one carrying the image 40681 and/or the data 4068D) may contain important information controlling 
use of container 302." (*683 25:62) 

Extrinsic: 


hardware or 
software used for 
receiving and 
opening secure 
containers 


Intrinsic: 

"Please ... add the following new claims: 

7. A system including, ... hardware and/or software used for receiving and opening secure containers 
09/221,479 ( 4 683), Preliminary Amendment, 12/28/98, p. 2 

- "SPU 500 in this example is an integrated circuit ("IC") "chip" 504 including "hardware" 506 and 
"firmware" 508. SPU 500 connects to the rest of the electronic appliance through an "appliance link" 
510. SPU "firmware" 508 in this example is "software" such as a "computer program(s)" "embedded" 
within chip 504. Firmware 508 makes the hardware 506 work. Hardware 506 preferably contains a 
processor to perform instructions specified by firmware 508. "Hardware" 506 also contains long-term 
and short-term memories to store information securely so it can't be tampered with. SPU 500 may also 
have a protected clock/calendar used for timing events. The SPU hardware 506 in this example may 
include special purpose electronic circuits that are specially designed to perform certain processes (such 
as "encryption" and "decryption") rapidly and efficiently (*193 59:60) 

- "Referring to FIG. 1 10, appliance 600 may then deliver the secure containers) 302 to the intended 
recipient 4056 and/or to trusted electronic go-between 4700 based upon the instructions of sender 4052 
as now reflected in the electronic controls 4078 associated with the object 300 (FIG. 1)0, block 4514). 
Such delivery is preferably by way of electronic network 4058 (672), but may be performed by any 
convenient electronic means such as, for example, Internet, Electronic Mail or Electronic Mail 
Attachment, WEB Page Direct, Telephone, floppy disks, bar codes in a fax transmission, filled ovals on 
a form delivered through physical mail, or any other electronic means to provide contact with the 
intended recipient^)." ('683 40:10) 

- while grandparent fl 07) did not refer to fax transmission or physical mail, it did recite that the 
delivery means could be by "physical storage media" or by transferring "physical things" ('193, 3:28, 
5:4, 14:21, 18:10, 53:33,' 127:6, 245:32) 

- "Incoming administrative object manager 756 receives administrative objects from other VDE 
electronic appliances 600 via communications manager 776." C 193 102:42) 
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- Trusted go-between 4700 might be authorized to register (but not open) the containers 302(1) it 
receives for later use as evidence in court 5016. ('683 52:35) 

479.7: "hardware and or/ [sic, and/or] software" 

Extrinsic: 


said secure 
containers each 
including the 
capacity to 
contain a 
governed item, a 
secure container 
rule being 
associated with 
each of said 
secure containers 


Intrinsic: 

"VDE object creation in the preferred embodiment employs VDE templates whose atomic elements 
represent at least in part modular control processes. Employing VDE creation software (in the 
preferred embodiment a GUI programming process) and VDE templates, users may create VDE objects 
300 by, for example, partitioning the objects, placing "meta data" (e.g., authors name, creation date, 
etc.) into them, and assigning rights associated with them and/or object content to, for example, a 
publisher and/or content creator. When a object creator runs through this process, she normally wiD go 
through a content specification procedure which will request required data. The content specification 
process, when satisfied, may be proceed by, for example, inserting data into a template and 
encapsulating the content-" (* 193 259:37) 

Extrinsic: 


. protected 
processing 
environment at 
least in part 
protecting 
information 
contained in said 
protected 
processing 
environment . 
from tampering 
by a user of said 
first apparatus 


Intrinsic: 

See "protected processing environment" for Prosecution History limitations. 

Such documents may be handled by people (referred to as users ) and/or by computers operating on 
behalf of users." ('193 27736)" 

Extrinsic: 


hardware or 
software used for 
applying said 
first secure 
container rule 
and a second 
secure container 
rule in 

combination to at 
least in part 
govern at least 
one aspect of 
access to or use 
of a governed 
item contained in 
a secure 
container 

.... 


Intrinsic: 

Prosecution History of *683 Patent 

"A comparison of independent claim 7 to Fischer to derive the similarities and differences between the 
claimed invention and the prior art follows — The combination of the first rule and the rule associated 
with the secure container is discussed at column 17, lines 40-61." 

U.S.PaLNo. 5,412,717 17:40-51: 

"Thereafter, the program X7s program authorizing information is combined, as appropriate, with the 
PA1 associated with the PCB of the calling program, if any. This combined PAl, which may include 
multiple PAI's, is then stored in an area of storage which cannot generally be modified by the program 
and the address of the PAI is stored in the process control block (PCB) as indicated in field 1 56 of FIG. 
5. Thus, if program X is called by a calling program, it is subject to all its own constraints as well as 
being combined in some way with the constraints of the calling program, which aggregate constraints 
are embodied into program X*s PAI." 

"A permissions record 808 may include requirements associated with this control information in 
combination with other control information, or a separate permissions record 808 may be used." (* 193 
262:37) 

09/221,479 ( 4 683), Office Action, 1 1/12/99, 4-5 (IT00065 800-01) 
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- "The VDE content control architecture allows content control information (such as control 
information for governing content usage) to be shaped to conform to VDE control information 
requirements of multiple parties. Formulating such multiple party content control information normally 
involves securely deriving control information from control information securely contributed by parties 
who play a role in a content handling and control model (e.g. content creators), providers), user(s), 
clearinghouse(s), etc.). Multiple party control information may be necessary in order to combine 
multiple pieces of independently managed VDE content into a single VDE container object (particularly 
if such independently managed content pieces have differing, for example conflicting, content control 
information). Such secure combination of VDE managed pieces of content will frequently require 
VDFs ability to securely derive content control information which accommodates the control 
information requirements, including any combinatorial rules, of the respective VDE managed pieces of 
content and reflects an acceptable agreement between such plural control information sets." (' 1 93 
296:12) 

- "The role of go-between 4700 may, in some circumstances, be played by one of the participant's 
SPU's 500 (PPEs), since SPU (PPE) behavior is not under the user's control, but rather can be under the 
control of rules and controls provided by one or more other parties other than the user (although in 
many instances the user can contribute his or her own controls to operate in combination with controls 
contributed by other parties)/" ('683 24:26) 

- "Many such load modules are inherently configurable, aggregatable, portable, and extensible and 
singularly, or in combination (along with associated data), run as control methods under the VDE 
transaction operating environment** (*193 25:48) 

- M A permissions record 808 may include requirements associated with this control information in 
combination with other control information, or a separate permissions record 808 may be used." ('193 
262:17) 

"Seniority of contributed control information, including resolution of conflicts between content 
control information submitted by multiple parties, is normally established! by:..." ('193 4630) 

- "This attribute of supporting multiple party securely, independently deliverable control information 
is fundamental to enabling electronic commerce, that is, defining of a content and/or appliance control 
infonnation set that represents the requirements of a collection of independent parties such as content 
creators, other content providers, financial service providers, and/or users." ('193 84:10) 

- "A significant feature of VDE accommodates the many, varying distribution and other transaction 
variables by, in part, decomposing electronic commerce and data security functions into generalized 
capability modules executable within a secure hardware SPU and/or corresponding software subsystem 
and further allowing extensive flexibility in assembling, modifying, and/or replacing, such modules 
(e.g. load modules and/or methods) in applications run on a VDE installation foundation. This 
configurability and ^configurability allows electronic commerce and data security participants to 
reflect their priorities and requirements through a process of iteratively shaping an evolving extended 
electronic agreement (electronic control model). This shaping can occur as content control information 
passes from one VDE participant to another and to the extent allowed by "in place" content control 
information. This process allows users of VDE to recast existing control infonnation and/or add new 
control information as necessary (including the elimination of no longer required elements).** (' 1 93 
16:5) 

- "A significant facet of the present invention's ability to broadly support electronic commerce is its 
ability to securely manage independently delivered VDE component objects containing control 
information (normally in the form of VDE objects containing one or more methods, data, or load 
module VDE components). This independently delivered control information can be integrated with 
senior and other pre-existing content control information to securely form derived control information 
using the negotiation mechanisms of the present invention. All requirements specified by this derived 
control information must be satisfied before VDE controlled content can be accessed or otherwise used. 
This means that, for example, all load modules and any mediating data which are listed by the derived 
control information as required must be available and securely perform their required function.** ('193 
10:66) 

- "Embedding takes content that is already in a container and stores it (or the complete object) in 
another container directly and/or by reference, integrating the control information associated with 
existing content with those of the new content** (* 1 93 194:24) 
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- However, the EMBED method 2130 performs a slightly different function-it writes an object (or 
reference) into a destination container. Blocks 21 12-2122 shown in FIG. 57b are similar to blocks 2082- 
2092 shown in FIG. 57a. At block 2124, EMBED method 2110 writes the source object into the 
destination container, and may at the same time extract or change the control information of the 
destination container. One alternative is to simply leave the control information of the destination 
container alone, and include the full set of control information associated with the object being 
embedded in addition to the original container control information. As an optimization, however, the 
preferred embodiment provides a technique whereby the control information associated with the object 
being embedded are "abstracted" and incorporated into the control information of the destination 
container. ('193 3953) 

- Users of VDE may include content creators who apply content usage, usage reporting, and/or usage 
payment related control information to electronic content and/or appliances for users such as end-user 
organizations, individuals, and content and/or appliance distributors. CI 93 9:40) 

- For example, in a VDE aware word processor application, a user may be able to "print" a document 
into a VDE content container object, applying specific control information by selecting from amongst a 
series of different menu templates for different purposes (for example, a confidential memo template for 
internal organization purposes may restrict the ability to "keep," that is to make an electronic copy of 
the memo). ( 4 193 26:59) 

- *479 c. 7: "hardware and/or software used for" 

- "Collection of terms (a control set) define a contract associated with a specific right," (* 193 245:56) 

- "securely combining said first and second controls to form a set of controls." (* 1 07 pg. 733 claim 
45) 

- "the right to use the content may be associated with two control sets. One control set may describe a 
fixed C'bigher") price for using the content Another control set may describe a fixed ("lower**) price 
for using the content with additional content information and field specification requiring collection and 
return the user*s personal inform anon.*' (' 1 93 246:50) 

- "Multiple parry control information may be necessary in order to combine multiple pieces of 
independently managed VDE content into a single VDE container object (particularly if such 
independently managed content pieces have differing, for example, conflicting, content control 
information). Such secure combinations of VDE managed pieces of content will frequently require 
VDE*s ability to securely derive content control information which accommodates the control 
information requirements, including any combinatorial rules, of the respective VDE managed pieces of 
content and reflects an acceptable agreement between such plural control information sets."('193 
296:21) 

- "Control sets 914, in turn, each includes a control set header 91 6, a control method 918, and one or 
more require methods records 920.*' (* 193 150:24) 

- "Each control set 914 contains as many required methods records 920 as necessary to satisfy all of the 
requirements of the creators and/or distributors for the exercise of a right** ('193 150:53) 

"Control sets 934 exist in two type in VDE 100: common required control sets which are given 
designations, "control sets 0 n or "control set for right," and a set of control set options. "Control set 0" 
902 contain a list of reuired methods that are common to all control set options, so that the common 
required methods do not have to be duplicated in each control set option. A "control set for right" 
("CSR") 910 contain a similar list for control sets within a given right "Control set 0" and any "control 
sets for rights" are thus, as mentioned above, optimizations; the same functionality fir the control set 
can be accomplished by listing all the common required methods in each control set option and omitting 
"control set 0" and any "controls set for rights." ('193 150:30) [see Fig. 26] 

- "Rights and permissions clearinghouses 400 may then distribute a new, combined control set 

1 8 8 ABC consistent with each of the individual control sets 188A, 1 88B, 1 88C — relieving he value 
chain participants form having to formulate any control sets other than the one they are particularly 
concerned about" ('712 190:14-1 8) 
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- "May form an overall transaction control set from a number of discrete sub-control sets contributed, 
for example, by a number of different participants." ('712 234:12-15) 

"Transaction authority 700 also receives another control set 1 88X specifying how to link the various 
participants' control sets together into overall transactions processes with requirements and limitations 
(Figures 58A and 58B, block 752). The overall transaction control set 188Y specifies how to resolve 
conflicts between the sub-transaction control set 188 (1), 188 (N) provided by the individual 
participants (mis could involve, for example, an electronic negotiation process 798 as shown in Figures 
75A-76A of the G inter et aL patent disclosure). The transaction authority 700 combines the 
participant's individual control sets - trying them together with additional logic create an overall 
transaction control superset 188Y (Figures 58A and 58B, block 752)/* ('712 243:8-19) 

Extrinsic: 


hardware or 
software used for 
transmission of 
secure containers 
to other 
apparatuses or 
for the receipt of 
secure containers 
from other 
apparatuses. 


Intrinsic: 

"Referring to FIG. 1 1 0, appliance 600 may then deliver the secure containers) 302 to the intended 
recipient 4056 and/or to trusted electronic go-between 4700 based upon the instructions of sender 4052 
as now reflected in the electronic controls 4078 associated with the object 300 (FIG. 1 10, block 45 14). 
Such delivery is preferably by way of electronic network 4058 (672), but may be performed by any 
convenient electronic means such as, for example, Internet, Electronic Mail or Electronic Mail 
Attachment, WEB Page Direct, Telephone, floppy disks, bar codes in a fax transmission, filled ovals 
on a form delivered through physical mail, or any other electronic means to provide contact with the 
intended recipients) " ('683 40:10) 

while grandparent (' 1 07) did not refer to fax transmission or physical mail, it did recite that the 
delivery means could be by "physical storage media" or by transferring "physical things" CI 93 3*28, 
5:4, 34-21, 18:10,53:33, 127:6,245:32) 

Those programs may communicate with the PPE 650 component of a user's electronic appliance 
600 to make VDE-protected documents available for use while limiting the extent to which their 
contents may be copied, stored, viewed, modified, and/or transmitted and/or otherwise further 
distributed outside the specific electronic appliance. (*193 279:3) 

Extrinsic: 


'721:1 


Intrinsic: 
USP 5,757,914 
USP 4,930,703 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment" 

09/208,017 ('193), Examiner's Amendment, 08/04/00, p. 2 


digitally signing 
a first load 
module with a 
first digital 
signature 
designating the 
first load module 
for use by a first 


Intrinsic: 

- "A hierarchy of assurance levels may be provided for different protected processing environment 
security levels. Load modules or other executables can be provided with digital signatures associated 
with particular assurance levels. Appliances assigned to particular assurance levels can protect 
themselves from executing load modules or other executables associated with different assurance levels. 
Different digital signatures and/or certificates may be used to distinguish between load modules or other 
executables intended for different assurance levels." ('721 6:16) 
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- "Encryption can be used in combination with the assurance level scheme discussed above to ensure 
that load modules or other exccutables can be executed only in specific environments or types of 
environments. The secure way to ensure that a load module or other executable can't execute in a 
particular environment is to ensure that the environment doesn't have the key(s) necessary to decrypt it" 
('721 6:63) 

- "A protected processing environinent(s) of assurance level I protects itself (themselves) by executing 
only load modules 54 sealed with an assurance level I digital signature 106(1). Protected processing 
environments) 108 having an associated assurance level I is (are) securely issued a public key 124(1) 
that can "unlock- the level I digital signature. Similarly, a protected processing environment(s) of 
assurance level II protects itself (themselves) by executing only the same (or different) load module 54 
sealed with a "Level IP digital signature 106(11). Such a protected processing environment 108 having 
an associated corresponding assurance level U possess a public key 124(11) used to "unlock" the level II 
digital signature. A protected processing environment(s) 108 of assurance level III protects itself 
(themselves) by executing only load modules 54 having a digital signature 1 06(111) for assurance level 
III. Such an assurance level ID protected processing environment 108 possesses a corresponding 
assurance level 3 public key \24QV).* ('721 17:48) 

- "More specifically, a particular assurance level appliance 61 thus protects itself from using a load 
module 54 of a different assurance level. Digital signatures (and/or signature algorithms) 106 in this 
sense create the isolated "desert islands" shown-since they allow execution environments to protect 
themselves from "off island" load modules 54 of different assurance levels." ('721 19:61) 

"If a load module is encrypted differently for different assurance levels, and the keys and/or algorithms 
that are used to decrypt such load modules are only distributed to environments of the same assurance 
level, an additional measure of security is provided." (*721 20:7) 

Extrinsic: 


digitally signing 
a second load 
module with a 
second digital 
signature 
different from the 
first digital 
signature, the 
second digital 
signature 
designating the 
second load 
module for use 
by "a second 
device class 
having at least 
one of tamper 
resistance and 
security level 
different from the 
at least one of 
tamper resistance 
and security level 
of the first device 
class 


Intrinsic: 

- "In one example, verifying authority 100 may digitally sign identical copies of load module 54 for 
use by different classes or "assurance levels" of electronic appliances 61." 

• "Protected execution spaces such as protected processing environments can be programmed or 
otherwise conditioned to accept only those load modules or other executables bearing a digital 
signature/certificate of an accredited (or particular) verifying authority. Tamper resistant barriers may 
be used to protect this programming or other conditioning. The assurance levels described below are a 
measure or assessment of the effectiveness with which this programming or other conditioning is 
protected." 

- "For example, protected processing environments or other secure execution spaces that are more 
impervious to tampering (such as those providing a higher degree of physical security) may use an 
assurance level that isolates it from protected processing environments or other secure execution spaces 
that are relatively more susceptible to tampering (such as those constructed solely by software 
executing on a general purpose digital computer in a non-secure location)." ('721 6:34) 

- The present invention may use a verifying authority and the digital signatures it provides to 
compartmentalize the different electronic appliances depending on their level of security (e.g., work 
factor or relative tamper resistance)." 

- "Assurance level I might be used for an electronic appliance(s) 61 whose protected processing 
environment 108 is based on software techniques that may be somewhat resistant to tampering. An 
example of an assurance level 1 electronic appliance 61 A might be a general purpose personal computer 
that executes software to create protected processing environment 108. An assurance level II electronic 
appliance 61 B may provide a protected processing environment 108 based on a hybrid of software 
security techniques and hardware-based security techniques. An example of an assurance level II 
electronic appliance 6 IB might be a general purpose personal computer equipped with a hardware 
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integrated circuit secure processing unit ("SPU") that performs some secure processing outside of the 
SPU (see Ginter et aL patent disclosure FIG. 10 and associated text). Such a hybrid arrangement might 
be relatively more resistant to tampering than a software-only implementation. The assurance level III 
appliance 61 C shown is a general purpose persona] computer equipped with a hardware-based secure 
processing unit 132 providing and completely containing protected processing environment 1 08 (see 
Ginter et aL FIGS. 6 and 9 for example). A silicon-based special purpose integrated circuit security chip 
is relatively more tamper-resistant than implementations relying on software techniques for some or all 
of their tamper-resistance.'' 

"Assurance level in this example may be assigned to a particular protected processing environment 108 
at initialization (e.g., at the factory in the case of hardware-based secure processing units). Assigning 
assurance level at initialization time facilitates the use of key management (e.g., secure key exchange 
protocols) to enforce isolation based on assurance level. For example, since establishment of assurance 
level is done at initialization time, rather than in the field in this example, the key exchange mechanism 
can be used to provide new keys (assuming an assurance level has been established correctly)." 

Extrinsic- 


distributing the 
first load module 
for use by at least 
one device in the 
first device class 


See above. 


distributing the 
second load 
module for use 
by at least one 
device in the 
second device 
class 


See above. 


'721:34 


Intrinsic: 
USP 5,757,914 
USP 4,930,703 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 CI 93), Examiner's Amendment, 08/04/00, p. 2 
Sec "Virtual Distribution Environment" above. 


arrangement 
within the first 
tamper resistant 
barrier 


Intrinsic: 

An important part of VDE provided by the present invention is the core secure transaction control 
arrangement, herein called an SPU (or SPUs), that typically must be present in each user's computer, 
other electronic appliance, or network. ('193 48:66) 

Extrinsic: 


prevents the first 
secure execution 
space from 
executing the 
same executable 


Intrinsic: 

"In accordance with this feature of the invention, verifying authority 100 supports all of these various 
categories of digital signatures, and system 50 uses key management to distribute the appropriate 
verification keys to different assurance level devices. For example, verifying authority 100 may 
digitally sign a particular load module 54 such that only hardware-only based servers) 402(3) at 
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accessed oy a 
second secure 
execution space 
baying a second 
tamper resistant 
barrier with a 
second security 
level different 
from the first 
security level 


assurance level XI may authenticate it This compartmentalization prevents any load module executable 
on hardware-only servers 402(3) from executing on any other assurance level appliance (for example, 
software- only protected processing environment based support service 404(1))" 0721 19:1 1) 

Extrinsic: 


4 86 1:58 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment** 

09/208,017 C193), Examiner's Amendment, 08/04/00, p. 2 
See ''Virtual Distribution Environment" above. 


creating a first 
secure container 


Intrinsic: 

_ "f or example, the descriptive data structure may be used in a creation process 302. The creation 
process 302 may read the descriptive data structure and, in response, create an output file 400 with a 
predefined format such as, for example, a container 1 00 corresponding to a format described by the 
descriptive data structure 200." (*861 1 1:58; Fig. 3) 

- "The output of the layout tool 300 may be a descriptive data structure 200 in the form of; for 
example, a text file. A secure packaging process 302a may accept container specific data as an input, 
and it may also accept the descriptive data structure 200 as a read only input The packager 302a could 
be based on a graphical user interface and/or it could be automated. The packager 302a packages the 
container specific data 3 14 into a secure container 100. It may also package descriptive data structure 
200 into the same container 100 if desired** ('861 12:9, and see Fig. 4) 

- "Descriptive data structure 200 may provide encodings of other characteristics in the form of 
metadata that can also be used by application 506 during a process of creating, using or manipulating 
container 100.** ( 4 861 13:30) 

- "This invention relates to techniques for defining, creating, and manipulating rights management 
data structures." (*861 1:23) 

_ "Therefore, the container creation and usage tools must themselves be secure in the sense that they 
must protect certain details about the container design." ('861 4:59) 

- "The above-referenced Ginter et al. patent specification describes, by way of non-exhaustive 
example, "templates'* that can act as a set (or collection of sets) of control instructions and/or data for 
object control software. See, for example, the "Object Creation and Initial Control Structures," 
"Templates and Classes," and "object definition file," "information" method and "content" methods 
discussions in the Ginter et al. specification. The described templates are, in at least some examples, 
capable of creating (and/or modifying) objects in a process that interacts with user instructions and 
provided content to create an object** ('861 4:65) 

_ "The DDS creation tool 800 (see FIG. 10A) may then package the resulting DDS 200 into a secure 
container 100 along with an associated object 830" ( 4 861 19:62) 

. "In accordance with one aspect of how to advantageously use descriptive data structures in 
accordance with a preferred embodiment of this invention, a machine readable descriptive data structure 
may be created by a provider to describe the layout of the provider's particular rights management data 
structure(s) such as secure containers. These descriptive data structure ("DDS") templates may be used 
to create containers " ('861 6:24) 

- "Object construction stage 1230 may use information in object configuration file 1240 to assemble or 
modify a container. This process typically involves communicating a series of events to SPE 503 to 
create one or more PERCs 808, public headers, private headers, and to encrypt content, all for storage in 
the new object 300 (or within secure database 610 within records associated with the new object).** 
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( 4 193 103:47) 

- "The Internet Repository 3406 VDE containerizes, including encrypts, selected object content as it 
streams out of the Repository in response to an online, user request to download an object." (* 193 
313:33) 

- "The container manager 764 may, in cooperation with SPE 503, construct an object container 302 
based at least in part on parameters about new object content or other information as specified by object 
configuration file 1240. Container manager 764 may then insert into the container 302 the content or 
other information (as encrypted by SPE 503) to be included in the new object. Container manager 764 
may also insert appropriate permissions, rules and/or control information into the container 302 (this 
permissions, rules and/or control information may be defined at least in part by user interaction through 
object submittal manager 774, and may be processed at least in part by SPE 503 to create secure data 
control structures). Container manager 764 may then write the new object to object repository 687, and 
the user or the electronic appliance may "register" the new object by including appropriate information 
within secure database 610. " ('193 1 04:12) [see Fig. 12A] 

Extrinsic: 


including or 
addressing . . . 
organization 
information . . . 
desired 

organization of a 
content section. . 
. and metadata 
information at 
least in part 
specifying at 
least one step 
required or 
desired in 
creation of said 
first secure 
container 


Intrinsic: 

- "metadata fields 264 (which may be part of and/or referenced by the descriptive data structure)" 
(*861 14:20); "include or reference" (* 861 15:21); advantages of referencing ( 4 861 15:32-58); 
alternative to referencing is "explicitly include" ('861 15:59); "including or addressing" (861 .58); 
"includes a reference to" (86 1 .69); 

- " it may be useful to store the metadata in a secure container 100 separately from DDS 200" ('861 
15:35) 

- FIG. 7 shows an example of how descriptive data structure 200 may be formatted. As mentioned 
above, descriptive data structure 200 may comprise a list such as a linked list Each list entry 260(1), 
260(2), . . . may include a number of data fields including, for example: an object name field 262, one 
or more metadata fields 264 (which may be part of and/or referenced by the descriptive data structure); 
and location information 266 (which may be used to help identify the corresponding information within 
the container data structure 1 00).** 

- "a descriptive data structure could serve as 'instructions" that drive an automated packaging 
application for digital content and/or an automated reader of digital content such as display priorities 
and organization (e.g., order and/or layout). "('861 7:54); 

- "a DDS 200 could serve as the 'instructions' that drive an automated packaging application for 
digital content or an automated reader of digital content." (*861 13:) 

- "In accordance with one example, the machine readable descriptive data structure provides a 
description that reflects and/or defines corresponding structure(s) within the rights management data 
structure. For example, the descriptive data structure may provide a recursive, hierarchical list that 
reflects and/or defines a corresponding recursive, hierarchical structure within the rights management 

data structure descriptive data structure may directly and/or indirectly specify where, in an 

associated rights management data structure, corresponding defined data types may be found." (*721 
5:56); 

- Issued claim 1 : a first memory storing a descriptive data structure, said descriptive data structure 
including: information regarding a first organization of elements within a secure container, said 
information including: information on the organization of said elements within said secure container, 
and information on the location of at least some of said elements within said secure container; M Issued 
claim 1 6: "using said organization information to identify a specific portion of said first secure 
container content." (see c. 17-19 re. specific specific portions) 

- Issued claim 34: "a representation of the format of data contained in a first rights management data 
structure said representation including: element information contained within said first rights 
management data structure; and organization information regarding the organization of said elements 
within said first rights management data structure; and information relating to metadata, said metadata 
including" 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 93 of 100 



Claim Term 


MS Construction 




- Issued claim 45 (dependent from 34-44): "said information regarding elements contained within 
said first rights management data structure includes information relating to the location of at least one 
such element." 

- Issued claim 73: "said descriptive data structure organization information includes information 
specifying that said first secure container contents will include at least a title and a text section referred 
to by said title" 

- Issued claim 74: "said descriptive data structure organization information includes information 
specifying that said first secure container contents will include at least one advertisement** 

- Issued claim 75: "said descriptive data structure further includes information relating to the location 
at which said title, said text section and said advertisement should be stored in said first secure 
container." 

- Issued claim 76: "at least a portion of said descriptive data structure organization information 
includes information specifying fields relating to at least one atomic transaction" 

- Tor example, the FIG. 2A example descriptive data structure headline definition 202a does not 
specify a particular headline (e.g., "Yankees Win the Pennant! "), but instead defines the location (for 
example, the logical or other offset address) within the container data structure 1 00a (as well as certain 
other characteristics) in which such headline information may reside." ('861 10:54); 

"layout "hints" and field definitions (e.g., text, text block, integer, file, image or other data type)." ('861 
16:49) 

- "A method of creating a first secure container, said method including the following steps;" ( l 861 this 
claim 58) 

"Descriptive data structure 200 can, for example, tell application 506 to always display a certain field 
(e.g., the author or copyright field) and to never display other information (e.g., information that should 
be hidden from most users)." (*861 13:) 

Extrinsic: 


at least in part 
determine 
specific 
information 
required to be 
included in said 
first secure 
container . 
contents 


Intrinsic: 

- "Descriptive data structure 200 may provide encodings of other characteristics in the form of 
metadata that can also be used by application 506 during a process of creating, using or manipulating 
container 100. The DDS 200 can be used to generate a software program to manipulate rights 
management structures. For example, a DDS 200 could serve as the 'instructions* that drive an 
automated packaging application for digital content or an automated reader of digital content" ('861 
13:30); 

- "such metadata may impose integrity or other constraints during the creation and/or usage process 
(e.g., "when you create an object, you must provide this information", or "when you display the object, 
you must display this information")." ('861 1 5:25); "many possible integrity constraints. ... Required: 
... Optional ... Required relationship ... Optional relationship ... Repetition" ( l 861 16:15); 

- " "construction type" metadata (upon object construction, the information is required; upon object 
construction, the object creation tool is to always or never prompt for the information)" ("861 16:41); 
The descriptive data structure can be used to generate one or more portions of software programs that 
manipulate rights management structures. For example, a descriptive data structure could serve as 
'instructions' that drive an automated packaging application for digital content and/or an automated 
reader of digital content such as display priorities and organization (e.g., order and/or layout)." ('861 
7:51) 

"In use, electronic appliance 500 may access secure container 100 and-in accordance with rules 316 — 
access the descriptive data structure 200 and content 102 it contains and provide it to application 506. 
The interpreter 508 within application 506 may, in turn, read and use the descriptive data structure 
200." 

For example, suppose the application 506 wants to display the "headline" information within newspaper 
style content shown in FIG. 2A. Application 506 may ask interpreter 508 to provide it with information 
that will help it to locate, read, format and/or display this "headline" information." ('861 12:57) 
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Extrinsic: 


rule designed to 
control at least 
one aspect of 
access to or use 
of at least a 
portion of said 
first secure 
container 
contents 


Intrinsic: 

Prosecution History of "861 Patent: 

"Claims [1,10,25,26] are rejected under 35 U.S.C. 102(b) as being clearly anticipated by the common 
and decades-old practice of using database schema to describe the structure of a database which 
requires password/identifications for access. ... Claims [1-17,25-26] are rejected under 35 U.S.C. 
1 02(a) as being anticipated by Anderson et al (Anderson), USP 5,537,526, Method and Apparatus for 
Processing a Display Document Utilizing a System Level Document. The claims are rejected on the 
basis of the correspondence between the teachings of Anderson and the elements of the claims as 
follows: As to claim 1 (and 10), the TabstractModel 502 is a machine readable, abstract descriptive 
data structure which interoperates with Tmodels 506 (TM), and TmodelSurrogates 504 (TMS). ... 
These models are clearly data structures, and while they can be of many types, the data they manage 
can include restrictions that correspond to rights management" 

08/805,804 0861), Office Action, 06/25/98, p. 2-3 

- "The rights management environment in which DigiBox-TM. containers are used allows commerce 
participants to associate rules with the digital information (content)." ( l 861 1 :50) 

- "For example, a creator of content can package one or more pieces of digital information with a set 
of rules in a DigiBox secure container- such rules may be variably located in one or more containers 
and/or client control nodes—and send the container to a distributor. The distributor can add to and/or 
modify the rules in the container within the parameters allowed by the creator. The distributor can then 
distribute the container by any rule allowed (or not prohibited) means— for example, by communicating 
it over an electronic network such as the Internet. A consumer can download the container, and use the 
content according to the rules within the container. The container is opened and the rules enforced on 
the local computer or other Inter Trust- aware appliance by software InterTrust calls an InterTrust 
Commerce Node. The consumer can forward the container (or a copy of it) to other consumers, who can 
(if the rules allow) use the content according to the same, differing, or other included rules— which rules 
apply being determined by user available rights, such as the users specific identification, including any 
class membership^) (e.g., an automobile club or employment by a certain university). In accordance 
with such rules, usage and/or payment information can be collected by the node and sent to one or more 
clearinghouses for payment settlement and to convey usage information to those with rights to receive 
it." ('861 2:13) 

- "Descriptive data structure 200 may supply integrity constraints or rules that protect the integrity of 
corresponding content during use of and/or access to the content." (*86I 12:2) 

- "For example, DDS 200 can specify that an article of a newspaper cannot be viewed without its 
headline being viewed. The corresponding integrity constraint can indicate the rule *if there is an article, 
there must also be a headline" " ('861 1 6:2) 

"In this example, each target data block 801 includes rule (control) information. Different target data 
blocks 801 can provide different rule information for different target environments 850. The rule 
information may, for example, relate to operations (events) and/or consequences of application program 
functions 856 within the associated target environment 850 such as specifying:" ('861 1 8:33) 

Extrinsic: 


'891:1 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 (*1 93), Examiner's Amendment, 08/04/00, p. 2 
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See "Virtual Distribution Environment" above. 


resource 
processed in a 
secure operating 
environment at a 
first appliance 


Intrinsic: 

• Prosecution History of Application 08/388,107 (issued at 4 891): 
"Please amend the remaining claims as follows: 

15. (Amended) A method for [managing] using at least one resource fwith] processed in a secure 
operating environment at a first appliance, said method comprising: 

securely receiving a first entity's control [from a first entity! at said first appliance, said first entity 
being located remotely from [external to] said operating environment and said first appliance; 
securely receiving a second entity's control [from a second entityl at said first appliance, said second 
entity being located remotely from [external to] said operating environment and said first appliance. 


soju sccuuu cuuiy c/cuig mucrcm u uiu >aju ium tn my , auu 

securely processing a data item at said first appliance, using at least one resource [, a data item 
associated with said first and second controls; and], including securely applying, at said first appliance 
through use of said at least one resource, said first entity's control and said second entity's control 


Icontrolsl to [manage said resource for] govern use [with] of said data item." 

08/388,107, Amendment, 06/20/97, p. 2 (MS1028825) 

Extrinsic: 


secure jy 
receiving a first 
entity's control at 
said first 
appliance 


OCC 40UVC, 


securely 
receiving a 
second entity's 
control at said 
iu m appliance 


See above. 


securely 

processing a data 
item at said first 
appliance, using 
at least one 
resource 


Intrinsic: 

"a protected processing environment, coupled to said communications arrangements, that: (a) securely 
processing, using at least one resource, a data item associated with said first and second controls, and 
(b) securely applies said first and second controls to manage said resources for use of said data item.** 
(08/388,107 page 781 claim 75) 

Extrinsic: 


securely 

annlvinp at ^aiH 

first appliance 
through use of 
said at least one 
resource said first 
entity's control 
and said second 
entity's control to 
govern use of 
said data item 


intrinsic: 

"Such secure combination of VDE manage pieces of content will frequently require VDE's ability to 
securely derive content control information which accommodates the control information requirements, 
including any combinational rules, of the respective VDE managed pieces of content and reflects an 
acceptable agreement between plural control information sets." (293:12 

Extrinsic: 


'900:155 


Intrinsic: 

"The instant application is one of a series of applications which are all generally directed to a virtual 
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distribution environment." 

09/208,017 ('193), Examiner's Amendment, 08/04/00, p. 2 

Prosecution History of 4 900: 

Claims 302, 32 1 and 322, as pending: 

"302. A virtual distribution environment comprising 

• a first host processing environment comprising 

• a central processing unit; 

• main memory operatively connected to said central processing unit; 

• mass storage operatiYery connected to said central processing unit and said main 
memory; 

• said mass storage storing tamper resistant software designed to be loaded into said 
main memory and executed by said central processing unit, said tamper resistant 
software comprising: 

• machine check programming which derives information from one or more aspects of 
said host processing environment, 

• one or more storage locations storing said information; and 

• integrity programming which 

• causes said machine check programming to derive said information, 

• compares said information to information previously stored in said one or more 
storage locations, and 

• generates an indication based on the result of said comparison. 

321. A virtual distribution environment as in claim 302, 

• said virtual distribution environment further comprising programming which takes 
one or more actions based on the state of said indication. 

322. A virtual distribution environment as in claim 321 in which said one or more actions 
includes at least temporarily halting further processing." 

(08/706,206 0900), Amendment, 06/09/98, 92-93, 96, 96-97) 

"Claims ... 322-324, ... are objected to as being dependent upon a rejected base claim, but would be 
allowable if rewritten in independent form including aD of the limitations of the base claim and any 
intervening claims." 

08/706,206 (*900), Office Action, 08/27/98, p. 2 

"322. A virtual distribution environment comprising 

• a first host processing environment comprising 

• a central processing unit; 

• main memory operatively connected to said central processing unit; 

• mass storage operatively connected to said central processing unit and said 
main memory; 

• said mass storage storing tamper resistant software designed to be loaded 
into said main memory and executed by said central processing unit, said tamper 
resistant software comprising: 

• machine check programming which derives information from one or more 
aspects of said host processing environment, 

• one or more storage locations storing said information; 

• integrity programming which 

o causes said machine check programming to derive said information, 

o compares said information to information previously stored in said 

one or more storage locations, and 
o generates an indication based on the resuh of said comparison; and 

• programming which takes one or more actions based on the state of said 
indication; 

• said one or more actions including at least temporarily halting further 
processing." 

(pg. 27-28) 

Remarks, "Applicants appreciate the indication that claims ... are allowed and that claims ... 322-324 



EXHIBIT D TO JOINT CLAIM CONSTRUCTION STATEMENT- Page 97 of 100 



Claim Term 


MS Construction 




are objected to but would be allowable if rewritten into independent form. ... For purposes of 
expedition, applicants are cancelling the rejected claims without prejudice and are rewriting 
objected to dependent claims into independent form." (pg. 42) 
08/706,206 (*900), Amendment, 1 1/23/98, p. 27-28, 42 . 


. first hosi 
processing 
environment 
comprising 


See above. 


said mass storage 
storing tamper 
resistant software 


See above. 


designed to be 
loaded into said 
main memory 
and executed by 
said central 
processing unit 


See above. 


said tamper 
resistant software 
comprising: . . . 
one or more 
storage locations 
storing said 
information 


Intrinsic: 

"Referring once again to FIG. 69B, the installed operational materials 3472 may be further customized 
for each instance by making random changes to reserved, unused portions of the operational materials 
(FIG. 69B, block 3470(6)). An example of this is shown in FIG. 69E. In this example, the operational 
materials 3472 include unused, embedded random data or code portions 3494." 

Extrinsic: 


derives 

information from 
one or more 
aspects of said 
host processing 
environment, 


Intrinsic: 

C900 73:1 - 80: 6);C900 230:55 - 233 34); ('900 235:28-244:15); Figs. 69A-N 


one or more 
storage locations 
storing said 
information 


mtrinsic: 

"Referring once again to FIG. 69B, the installed operational materials 3472 may be further customized 
for each instance by making random changes to reserved, unused portions of the operational materials 
(FIG. 69B, block 3470(6)). An example of this is shown in FIG. 69E. In this example, the operational 
materials 3472 include unused, embedded random data or code portions 3494." 


information 
previously stored 
in said one or 
more storage 
locations 


Intrinsic: 
See terms. 


generates an 
indication based 
on the result of 
said comparison 


See terms. 


programming 
which takes one 
or more actions 
based on the state 
of said indication 


Intrinsic: 

Claim 321, as pending: 

"321. A virtual distribution environment as in claim 302, 
said virtual distribution environment further comprising programming which takes one or more actions 
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based on the state of said indication." 
08/706,206 ('900), Amendment, 06/09/98, p. 96 


at least 
temporarily 
halting farther 
processing 


See halting. 


l 912:8 


"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment.'' 

09/208,017 C193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment" above. 


identifying at 
least one aspect 
of an execution 
space required 
for use and/or 
execution of the 
load module 


Intrinsic: 

"For each site, the manufacturer generates a site ID 2821 and list of she characteristics 2822." ('193 
209:55) 


said execution 
space identifier 
provides the 
capability for 
distinguishing 
between 

execution spaces 
providing a 

V> i rr\\ $*r \ 9*\jf*\ rvt 
DlgJJCi ICVCi \Jl 

security and 
execution spaces 
providing a lower 
level of security 


Extrinsic: 

See generally processor identification field, memory maps, and address spaces. 
(Tanenbaum, A., Modern Operating Systems, MS1096004) 


checking said 
record for 
validity prior to 
performing said 
executing step 


Extrinsic: 

Validity Check: The process of analyzing data to determine whether it conforms to predetermined 
completeness and consistency parameters. (Microsoft Computer Dictionary, 3 rt edL 1997) 
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'912:35 


"The instant application is one of a series of applications which are all generally directed to a virtual 
distribution environment." 

09/208,017 f 193), Examiner's Amendment, 08/04/00, p. 2 
See "Virtual Distribution Environment'' above. 




received in a 
secure container 


See terms. 


said component 
assembly 
allowing access 
to or use of 
specified 
information 


See terms. 


said first 
component 
assembly 
specified by said 
| first record 


See terms. 
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Exhibit E 
Microsoft's Statement of Reservations 

Microsoft provides its attached claim construction for each of the 12 "Mini- 
Markman " claims, subject to the limitations and reservations of rights set forth herein. 

Claim Invalidity: Microsoft does not waive any defenses that the asserted claims 
fail to satisfy the provisions of 35 U.S.C. § 1 12, including, for example, the written 
description requirement, the definiteness requirement, or any other requirement for 
patentability. Microsoft does not concede that the asserted claims are supported by 
Plaintiffs original "big book" application or any application from which they purportedly 
claim priority. By offering a construction of a term, Microsoft does not waive any 
defense that the claim is indefinite and there can be no proper construction. 

Continuing Discovery: Microsoft reserves the right to modify its claim 
constructions in light of ongoing claim construction discovery. Microsoft reserves the 
right to modify or supplement its cited extrinsic evidence in light of information which is 
provided in continuing claim construction discovery, or information which has already 
been provided but too recently, or in too high a volume, or in other manner inhibiting its 
full review, such as InterTrust f s re-production of over 1,000,000 pages on November 4, 
2002. 

Intrinsic Evidence: For the purposes of submission of this claim construction 
only, Microsoft treats the "intrinsic" evidence as including: 1) the specifications of each 
of the seven U.S. patents at issue in the "Mini-Markman" proceeding, including any 
material purportedly incorporated by reference therein; 2) the prosecution history of each 
of the seven patents at issue, including the applications and prosecution history of the 
seven patents and any related patent applications, including without limitation, 
applications purportedly incorporated by reference or to which an application claimed 
priority; and 3) all references cited in the prosecution of any such applications. 



Microsoft does so without waiving the right to contest whether some of this information 
is or is not properly part of the intrinsic evidence. 



Exhibit F 



Dr. Reiter is expected to testify as follows: 

1 . Dr. Reiter will testify regarding the meaning of the disputed claim elements to 
one of ordinary skill in the art, taking into account the understood meaning of the terms 
in the art, the patent specifications and the file histories. He will testify as follows: 

a. InterTrust's proposed definitions, attached as Exhibit B to the Joint Claim 
Construction Statement ("JCCS") are consistent with the use of the terms or phrases in 
the specification and the relevant art. Those definitions are attached hereto. Citations to 
supporting specification text and relevant art can be found in Exhibit C to the JCCS. 

b. Microsoft has made repeated substantial changes to its proposed definitions, 
the changes continuing up to shortly before the present document was prepared. For this 
reason, it is impossible to include detailed responses to the issues raised by those 
definitions. 

In general, however, the Microsoft definitions incorporate restrictions that are 
inconsistent with specification use of the terms and/or inconsistent with the 
understanding of the terms in the art. Those inconsistencies are demonstrated by the 
attached supporting evidence. The following discussion lists one or more serious 
deficiencies in each Microsoft definition, but is not intended as a comprehensive 
description of all such deficiencies. 

Individual terms 

Access/Access to/Accessing/Accessed 

The first sentence of Microsoft's definition is generally consistent with the 
InterTrust definition. The second sentence of the Microsoft definition is based on a 
specific disclosed embodiment, and is inconsistent with general use of the term in the 
specifications. 

Addressing 

The two parties' definitions are very close. Microsoft's definition is, however, 
improper in its apparent exclusion of indirect addressing. 

Allowing, allows 

Microsoft's definition is based on a specific disclosed embodiment and ignores 
other embodiments. See InterTrust's supporting evidence. 

Arrangement 



Microsoft's definition requires particular types of organizations and is therefore 
inconsistent with the patent specifications. 

Aspect 

Microsoft's definition is overly restrictive in its requirement that an aspect be 
"persistent" and that it "can be used to distinguish [an environment] from other 
environments." 

Associated with 

Microsoft's definition incorporates restrictions based on a particular embodiment 
and is inconsistent with other disclosed embodiments and with the general meaning of the 
term. 

Authentication 

Microsoft's definition requires multiple types of authentication, in a manner not 
required by use of this term in the specification or the art. Moreover, some of these types 
cannot be applied (e.g., "origin integrity" applied to an organization). 

Authorization information, Authorized, Not authorized 

Microsoft's definitions are based on specific embodiments and contradicted by 
alternative embodiments disclosed in the specifications. 

Budget control; Budget 

Microsoft's definition improperly restricts "budget" to a particular type of 
method, and improperly restricts Budget Control in a manner inconsistent with the 
specification. 

Can be 

Microsoft's definition incorporates the language "which otherwise cannot be 
carried out." This language is inconsistent with the specifications. 

Capacity 

The Microsoft definition relates to hardware storage devices, a context that is 
irrelevant to use of the term in the relevant claim. 

Clearinghouse 

Microsoft's definition is inconsistent with use of this term in the specifications. 
See InterTrust's supporting evidence. 



Compares; Comparison 

Microsoft's definition is based on a particular type of processor operation, a 
context that is not discussed in the specification and not required by the claim. 

Component assembly 

Microsoft's definition incorporates a large number of restrictions based on 
specific embodiments and ignoring alternate embodiments. 

Contain, contained, containing 

Microsoft's definition requires "physically" or "directly" storing, and 
distinguishes Addressing. This is inconsistent with use of the term in the specification. 

Control (n.); Controls (n.) 

The Microsoft definition incorporates a large number of restrictions based on 
specific embodiments, and ignores alternate embodiments described in the specifications. 

Controlling; Control (v.) 

The Microsoft definition incorporates limitations that are not required by the 
specification, including limitations contradicted by use of the term in the specifications 
and by disclosed embodiments. 

Copied file 

The Microsoft definition improperly distinguishes "copied file" from "copy." 
Copy, copied, copying (v.) 

The Microsoft definition is internally inconsistent, since it both prohibits and 
allows changes in the reproduced file. That definition also incorporates examples that are 
inconsistent with use of the terms in the claims. 

Copy control 

The Microsoft definition is inconsistent with use of this term in the claim. 
Data item 

The Microsoft definition incorporates limitations not present in the InterTrust 
definition. These limitations are not required by the specification or normal use of the 
term in the art. 



Derive, Derives 

The Microsoft definition requires retrieval, a concept not required by the 
specifications or use of this term in the claim. 

Descriptive data structure 

Limitations in the last two sentences of the Microsoft definition are inconsistent 
with described embodiments and are not required by the specifications or use of the term 
in the claims. 

Designating 

The Microsoft definition does not apply to this term, but instead to the claim 
phrase in which the term is found. That claim phrase is separately defined. 

Device class 

The Microsoft definition is inconsistent with the definition given to this term 
during prosecution. 

Digital file 

The Microsoft definition is overly restrictive. The limitations is incorporates are 
not required by the specification, use of the term in the claims or general use in the 
relevant art. 

Digital signature; Digitally signing 

The Microsoft definition of digital signature requires that the string be 
"computationally unforgeable," a characteristic that is impossible to obtain. The 
Microsoft definition of digitally signing requires a secret key, and also includes 
significant background discussion not necessary for the definition. 

Entity's control 

Microsoft's definition improperly requires control of a "particular use of or access 
to particular protected information by a particular user(s)." No such requirements are 
imposed by the term, the claim or the specifications. 

Environment 

Microsoft does not appear to have provided any definition for this term. 
Executable programming; Executable 



Microsoft's requirement of "machine code instructions" is inconsistent with use 
of this term in the specifications. In addition, Microsoft's definition of "computer 
program" imposes limitations not required by these terms. 

Execution space; Execution space identifier 

Microsoft's definition of Execution Space is inconsistent with the explicit 
definition given to this term during prosecution. Microsoft's definition of Execution 
Space Identifier improperly requires "unique" identification. 

Governed item 

Microsoft's definition of Governed Item requires arbitrarily fine granularity and 
control of "access and use by any user, process, or device." Neither the term nor the 
specifications require such limitations. 

Halting 

The Microsoft definition requires execution be "unconditionally" stopped. The 
specification imposes no such requirement, and the Microsoft definition appears to be 
based on a particular type of instruction that is not mentioned in the patents. 

Host processing environment 

The Microsoft definition incorporates the term "VDE node," a term that is itself 
defined at great length, incorporating numerous improper limitations. The Microsoft 
definition also improperly incorporates restrictions based on privileged mode versus user 
mode, and "loaded" software. In addition, the Microsoft definition improperly excludes 
hardware. 

Identifier, Identify, Identifying 

The Microsoft definitions improperly restrict these terms to "particular instances." 
Including 

The definitions are consistent, except that the hardware portion of Microsoft's 
definition requires "physically present within." This is inconsistent with use of the term 
in the claims. 

Information previously stored 

Microsoft's definition would render the claim nonsensical, since it would require 
a comparison involving information that is no longer available for the comparison. 



Integrity programming 

The Microsoft definition is internally inconsistent, improperly incorporates the 
term Executable Programming and improperly defines integrity as excluding all 
alterations. 

Key 

Microsoft's exclusion of "key seed or other information from which the actual 
encryption and/or decryption key is constructed, derived, or otherwise identified" is 
inconsistent with the specification and general use of the term in the relevant art. 

Load module 

Microsoft's definition imposes numerous limitations beyond those identified in 
the InterTrust definition. Those additional limitations are not required by the term and 
are inconsistent with embodiments disclosed in the specifications. 

Machine check programming 

The Microsoft definition improperly requires Executable Programming and a 
''unique 'machine signature* which distinguishes the physical machine from all other 
machines." These limitations are not required by the term. 

Opening secure containers 

The Microsoft definition improperly distinguishes "opening" from decrypting, 
and improperly incorporates limitations based on a particular embodiment of opening. 

Operating environment 

See Processing Environment. 

Organization, Organization information, Organize 

The Microsoft definitions improperly incorporate concepts related to physical 
storage. 

Portion 

The Microsoft definition improperly implies that presence of a "portion" excludes 
presence of the whole. 



Prevents 



The Microsoft definition requires a level of certainty that is inconsistent with the 
specification and impossible to obtain. 

Processing Environment 

The Microsoft definition incorporates a specific embodiment and would exclude 
other embodiments disclosed for this term. 

Protected processing environment 

The Microsoft definition incorporates at least several dozen highly restrictive and 
unnecessary limitations, and appears to combine restrictions from multiple separate 
embodiments. 

Protecting 

The incorporation of Security into the Microsoft definition is improper, since that 
term is considerably more general than the manner in which Protecting is used in the 
claim. 

Record 

The Microsoft definition includes limitations beyond those incorporated in the 
InterTrust definition. These added limitations are not required by use of this term in the 
claims, specification, or art. 

Required 

The Microsoft definition implies a degree of absoluteness that is inconsistent with 
the specification. The second sentence of the Microsoft definition is unsupported by the 
specification or normal use of the term. 

Resource processed 

The Microsoft definition improperly requires a "shared facility," and that the 
resource be "required by a job or task." These are not required by the claim or 
specification. 

Rule 

The Microsoft definition improperly distinguishes Rules from Controls, and 
imposes an unsupported requirement that a Rule be a "lexical statement." 



Secure 



The Microsoft definition requires absolute protection against all possible threats, 
and is therefore inconsistent with use of the term in the specification, the claims, and the 
relevant art. 

Secure container 

The requirements imposed by the Microsoft definition are either inconsistent with 
the specification or ignore disclosed embodiments. 

Secure container governed item 

The Microsoft definition imposes a requirement of absolute security that is 
inconsistent with the specification and ignores alternate disclosed embodiments. 

Secure database 

The Microsoft definition improperly defines "database" in accordance with one 
particular type of database, and improperly imposes a requirement of absolute security 
that is inconsistent with the specification. 

Secure execution space 

The Microsoft definition is inconsistent with and excludes embodiments of Secure 
Execution Spaces described in the specification. 

Secure memory 

Microsoft's definition of "memory" improperly excludes virtual memory. 
Microsoft's definition of Secure Memory includes numerous restrictions not supported by 
the specification. 

Secure operating environment, Said operating environment 

See Secure Processing Environment. 

Securely applying 

Microsoft's definition of "securely" is inconsistent with and excludes 
embodiments described in the specification. 

Microsoft's definition of Securely Applying improperly includes limitations from 
specific embodiments, as well as limitations not required by the specification or claims. 

Securely assembling 



The Microsoft definition incorporates limitations from specific embodiments, and 
ignores alternate embodiments not requiring those limitations. 

Securely processing 

The Microsoft definition improperly incorporates a requirement of a secure 
execution space. This requirement is inconsistent with embodiments described in the 
specification. 

Securely receiving 

The Microsoft definition is based on limitations taken from a particular 
embodiment and ignores alternate embodiments. 

Security level, Level of security 

The Microsoft definition improperly requires an "ordered measure" and 
persistence. The second and third sentences from the Microsoft definition are 
unsupported by any disclosure in the specifications. 

Tamper resistance 

The Microsoft definition improperly requires a tamper resistant barrier. 

Tamper resistant barrier 

The Microsoft definition describes a specific embodiment, and is inconsistent 
with alternate embodiments described in the specifications. 

Tamper resistant software 

The Microsoft definition improperly requires a tamper resistant barrier. 

Use 

The second sentence of the Microsoft definition improperly incorporates 
limitations from a particular embodiment. 

User controls 

The Microsoft definition is inconsistent with the claim and the prosecution 

history. 
Validity 



. The Microsoft definition improperly incorporates the concept of "authentication," 
and applies only to data. 

Virtual distribution environment 

See Global Construction of VDE. 
Claim phrases 
193.1 

receiving a digital file including music 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

a budget specifying the number of copies which can be made of said digital file 

The Microsoft definition improperly includes "copies" that are not "long-lived, 
decrypted or accessible." The Microsoft definition also ignores embodiments involving 
alternative control structures. 

controlling the copies made of said digital file 

The Microsoft definition improperly incorporates limitations from particular 
embodiments, ignores embodiments describing alternative control structures and imposes 
numerous limitations that are not supported by the specification or claim language. 

determining whether said digital file may be copied and stored on a second device 
based on at least said copy control 

The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that "the" file, as opposed 
to a copy, be stored on a second device, excludes described alternative embodiments and 
requires an absolute degree of control that is inconsistent with the specification. 

if said copy control allows at least a portion of said digital file to be copied and 
stored on a second device 

The Microsoft definition's "explanation" of the branches makes no sense and is 
unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said digital file 



The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly excludes embodiments described in the specification. 

transferring at least a portion of said digital file to a second device 

The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 
described in the specification. 

storing said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly requires storage of the entire file rather than a portion. 

193.11 

receiving a digital file 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

determining whether said digital file may be copied and stored on a second device 
based on said first control 

The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that ''the" file, as opposed 
to a copy, be stored on a second device, excludes described alternative embodiments and 
requires an absolute degree of control that is inconsistent with the specification. 

identifying said second device 

The Microsoft definition improperly requires that the identification distinguish the 
device from all other devices, that controls be used and that a VDE Secure Processing 
Environment be used. 

whether said first control allows transfer of said copied file to said second device 

The Microsoft definition improperly distinguishes a "copy" from "the" file, and 
ignores embodiments describing alternative control structures. 

said determination based at least in part on the features present at the device 

The Microsoft definition improperly requires that all features be used, that these 
be "actual, current" features and improperly excludes device identifiers. 



if said first control allows at least a portion of said digital file to be copied and 
stored on a second device 

The Microsoft definition's "explanation" of the branches makes no sense and is 
unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly excludes embodiments described in the specification. 

transferring at least a portion of said digital file to a second device 

The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 
described in the specification. 

storing said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly requires storage of the entire file rather than a portion. 

193.15 

receiving a digital file 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls, and the requirement that 
the step must proceed in both authentication branches is not supported in the claim. 

an authentication step comprising: 

The Microsoft definition improperly includes a requirement of an absence of trust, 
VDE controls and a VDE Secure Processing Environment. 

accessing at least one identifier associated with a first device or with a user of said 
first device 

The Microsoft definition improperly requires "securely" accessing, that an 
identifier identify a "single" user or device (but not "and"), VDE controls, and a VDE 
Secure Processing Environment. 

determining whether said identifier is associated with a device and/or user 
authorized to store said digital file 



The Microsoft definition improperly requires VDE controls and a VDE Secure 
Processing Environment. 

storing said digital file in a first secure memory of said first device, but only if said 
device and/or user is so authorized, but not proceeding with said storing if said 
device and/or user is not authorized 

The Microsoft definition ignores embodiments describing alternative control 
structures, and improperly requires that "the" file be stored, as opposed to a copy, VDE 
controls, and a VDE Secure Processing Environment. 

storing information associated with said digital file in a secure database stored on 
said first device, said information including at least one control 

Microsoft's definition improperly requires that the stored information be 
associated with the digital file but not the digital file's contents, VDE controls, a VDE 
Secure Processing Environment and that the step proceed regardless of the outcome of 
the authentication step. 

determining whether said digital file may be copied and stored on a second device 
based on said at least one control 

■ The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that 44 the" file, as opposed 
to a copy, be stored on a second device, excludes described alternative embodiments, 
requires an absolute degree of control that is inconsistent with the specification, and 
requires that the step proceed regardless of the outcome of the authentication step. 

if said at least one control allows at least a portion of said digital file to be copied 
and stored on a second device, 

The Microsoft definition's "explanation" of the branches makes no sense and is 
unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly excludes embodiments described in the specification and improperly requires 
that the step proceed regardless of the outcome of the authentication step. 

transferring at least a portion of said digital file to a second device 

* The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 



described in the specification, and improperly requires that the step proceed regardless of 
the outcome of the authentication step. 

storing said digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly requires storage of the entire file rather than a portion, and improperly 
requires that the step proceed regardless of the outcome of the authentication step. 

193.19 

receiving a digital file at a first device 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

establishing communication between said first device and a clearinghouse located at 
a location remote from said first device 

The Microsoft definition improperly requires a communications channel and that 
the communications channel was "previously non-existent." 

using said authorization information to gain access to or make at least one use of 
said first digital file 

The Microsoft definition improperly requires that "all of the authorization 
information be used, VDE controls, a VDE Secure Processing Environment, and ignores 
embodiments describing alternative control structures. 

receiving a first control from said clearinghouse at said first device 

The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication a recipient and use of controls. 

storing said first digital file in a memory of said first device 

The Microsoft definition improperly requires VDE controls and a VDE Secure 
Processing Environment. 

using said first control to determine whether said first digital file may be copied and 
stored on a second device 

The Microsoft definition incorporates numerous unnecessary limitations not 
required by the claim or the specification, improperly requires that "the" file, as opposed 



to a copy, be stored on a second device, excludes described alternative embodiments and 
requires an absolute degree of control that is inconsistent with the specification. 

if said first control allows at least a portion of said first digital file to be copied and 
stored on a second device 

The Microsoft definition's "explanation" of the branches makes no sense and is 
unsupported by the claim and , improperly requires that "the" file, as opposed to a copy, 
be stored on a second device. 

copying at least a portion of said first digital file 

The Microsoft definition improperly distinguishes a "copy" and "the" file, and 
improperly excludes embodiments described in the specification. 

transferring at least a portion of said first digital file to a second device including a 
memory and an audio and/or video output 

The Microsoft definition improperly distinguishes a "copy" and "the" file, 
improperly requires that controls be executed and ignores alternative embodiments 
described in the specification. 

storing said first digital file portion 

Microsoft's definition improperly distinguishes a "copy" and "the" file. 

683.2 

the first secure container having been received from a second apparatus 

Microsoft's definition improperly requires that the first secure container identify 
the apparatus from which it was received, and improperly argues that, in the absence of 
such identification, that container could not be distinguished from a container created at 
the site. Microsoft's definition includes numerous improper limitations, including 
authenticating a recipient and authentication occurring in accordance with VDE controls. 
The examples cited by Microsoft are misleading, since these are specific embodiments 
rather than general requirements. 

an aspect of access to or use of 

Microsoft's definition improperly excludes rules governing more than one aspect, 
improperly excludes access and use and improperly requires that the aspect be governed 
in relation to "any and all processes, users, and devices." 

the first secure container rule having been received from a third apparatus different 
from said second apparatus 



Microsoft's definition improperly requires that the first secure container identify 
the apparatus from which it was received, and improperly argues that, in the absence of 
such identification, that container could not be distinguished from a container created at 
the site. Microsoft's definition includes numerous improper limitations, including receipt 
in a secure container, authenticating a recipient and authentication occurring in 
accordance with VDE controls. 

hardware or software used for receiving and opening secure containers 

Microsoft's definition improperly requires a Secure Processing Environment and 
SPU, improperly requires "the same single logical piece of either hardware or software 
(as opposed to both), " and improperly requires authentication and VDE controls. 

said secure containers each including the capacity to contain a governed item, a 
secure container rule being associated with each of said secure containers 

The Microsoft definition improperly requires that rules be associated with secure 
containers, as opposed to governed items. 

protected processing environment at least in part protecting information contained 
in said protected processing environment from tampering by a user of said first 
apparatus 

The Microsoft definition is unsupported in the specification. It is contradicted by 
the claim and improperly requires numerous elements not required by the specification, 
including a Secure Processing Environment. 

hardware or software used for applying said first secure container rule and a second 
secure container rule in combination to at least in part govern at least one aspect of 
access to or use of a governed item contained in a secure container 

The Microsoft definition improperly requires a Secure Processing 
Environment/SPU, a "single" piece of hardware or software, assembly of a control and 
governance through VDE controls. 

hardware or software used for transmission of secure containers to other 
apparatuses or for the receipt of secure containers from other apparatuses. 

The Microsoft definition improperly requires a Secure Processing 
Environment/SPU, a "single" piece of hardware or software, assembly of a control and 
governance through VDE controls. The examples cited by Microsoft are misleading, 
since these are specific embodiments rather than general requirements. 

721.1 



digitally signing a first load module with a first digital signature designating the first 
load module for use by a first device class 

The Microsoft definition improperly requires that the digital signature be used as 
the signature key, that all load modules be signed and that certain devices not have keys. 

digitally signing a second load module with a second digital signature different from 
the first digital signature, the second digital signature designating the second load 
module for use by a second device class having at least one of tamper resistance and 
security level different from the at least one of tamper resistance and security level 
of the first device class 

The Microsoft definition improperly requires that the digital signature be used as 
the signature key, that all load modules be signed, that certain devices not have keys, that 
security levels be persistent and that security levels be greater or less than other security 
levels. 

distributing the first load module for use by at least one device in the first device 
class 

The Microsoft definition improperly requires transmission and that the digital 
signature accompany the first load module as distributed. 

distributing the second load module for use by at least one device in the second 
device class 

The Microsoft definition improperly requires transmission and that the digital 
signature accompany the first load module as distributed. 

721.34 

arrangement within the first tamper resistant barrier 

The Microsoft definition improperly requires that the arrangement be "executed 
wholly within the first tamper resistant barrier/* 

prevents the first secure execution space from executing the same executable 
accessed by a second secure execution space having a second tamper resistant 
barrier with a second security level different from the first security level 

The Microsoft definition improperly requires that the second secure execution 
space be part of the protected processing environment, that security level differences be 
persistent and higher or lower than each other and that the "same" executable be 
executed. 



861.58 



creating a first secure container 



The Microsoft definition improperly requires a VDE Secure Processing 
Environment. 

including or addressing . . . organization information . . . desired organization of a 
content section. . . and metadata information at least in part specifying at least one 
step required or desired in creation of said first secure container 

The second paragraph from Microsoft's definition is inconsistent with the claim. 
The limitations imposed by the third paragraph are not required by the claim or 
specification. 

at least in part determine specific information required to be included in said first 
secure container contents 

The Microsoft definition improperly excludes other reasons for inclusion of the 
information and improperly requires specific values. 

rule designed to control at least one aspect of access to or use of at least a portion of 
said first secure container contents 

The Microsoft definition improperly requires that the rule be designed for 
particular contents, that the rule be used by VDE controls, the presence of a VDE Secure 
Processing Environment and that the rule is generated or identified based on the 
descriptive data structure. Microsoft's definition also excludes embodiments describing 
alternative control structures. 

891.1 

resource processed in a secure operating environment at a first appliance 

The Microsoft definition improperly requires a shared facility and a Secure 
Processing Unit with specific features. 

securely receiving a first entity's control at said first appliance 

The Microsoft definition includes numerous unnecessary limitations, including . 
secure container, authentication, use of controls and encryption on the communications 
level. 

securely receiving a second entity's control at said first appliance 



The Microsoft definition includes numerous unnecessary limitations, including 
secure container, authentication, use of controls and encryption on the communications 
level. 

securely processing a data item at said first appliance, using at least one resource 

The Microsoft definition improperly requires a Secure Processing Unit including 
numerous limitations. 

securely applying, at said first appliance through use of said at least one resource 
said first entity's control and said second entity's control to govern use of said data 
item 

The Microsoft definition improperly requires a Secure Processing Environment 
consisting of a Secure Processing Unit and that the resource be a component part of a 
secure operating environment. 

900.155 

first host processing environment comprising 

The Microsoft definition incorporates limitations not required by the claim or the 
specifications, including limiting the host processing environment to only currently 
executing software. 

designed to be loaded into said main memory and executed by said central 
processing unit 

The Microsoft definition improperly requires that the software is capable of being 
loaded "only" in the main memory and executed "only" by the CPU. 

said tamper resistant software comprising: . . . one or more storage locations storing 
said information 

The Microsoft definition improperly requires that the storage locations be part of 
the machine check programming and that the storage locations must not store other 
information. 

derives information from one or more aspects of said host processing environment, 

The Microsoft definition improperly requires that information be derived from 
"hardware," and that the information "uniquely and persistently" identify the host 
processing environment. 

one or more storage locations storing said information 



The Microsoft definition improperly requires that the storage locations be part of 
the tamper resistant software and that the storage locations must not store other 
information. 

information previously stored in said one or more storage locations 

Microsoft's definition would render the claim nonsensical, since it would require 
a comparison involving information that is no longer available for the comparison. 

generates an indication based on the result of said comparison 

Microsoft's definition improperly requires that only two results be possible and 
that the indication is based solely on the result of the "compares" step. 

programming which takes one or more actions based on the state of said indication 

The Microsoft definition improperly requires executable programming, that the 
programming not be part of the host processing environment, that the programming must 
take an action regardless of the indicator state and that the action must be based solely on 
the state of the indication. 

at least temporarily halting further processing 

Microsoft's definition improperly requires that the host processing environment 
and all processes running in it be halted. 

912.8 

identifying at least one aspect of an execution space required for use and/or 
execution of the load module 

The Microsoft definition improperly requires that the identifier "define fully, 
without reference to any other information." 

said execution space identifier provides the capability for distinguishing between 
execution spaces providing a higher level of security and execution spaces providing 
a lower level of security 

The Microsoft definition improperly requires that the execution space identifier 
provides the load module with the ability to determine a level of security, and the 
presence of two higher and two lower levels of security. 

checking said record for validity prior to performing said executing step 



The Microsoft definition improperly requires that the record be checked before 
execution of any identified information, that evaluation occur within a VDE Secure 
Processing Environment, and that specific types of information be checked. 

912.35 

received in a secure container 

The Microsoft definition improperly requires "encapsulation" in a secure 
container, authentication in accordance with VDE controls and acceptance of the secured 
container. 

said component assembly allowing access to or use of specified information 

The Microsoft definition improperly requires that the component assembly 
operate by itself, that it execute in a VDE Secure Processing Environment and that the 
component assembly be dedicated to specific information. The Microsoft definition 
ignores embodiments describing alternative control structures and improperly 
distinguishes access and use. 

said first component assembly specified by said first record 

The first paragraph of Microsoft's definition defines this term in a restrictive 
manner with no support in the claim. Microsoft's second paragraph is devoted to a non- 
existent inconsistency created by Microsoft's restrictive definition. 

Claims as a Whole: 

In every case, Microsoft requires the system be a VDE or the method be 
performed in a VDE. This requirement is not supported by the language of any of the 
claims. 

Global Construction 

The language of the individual claims contains nothing to support the large 
number of restrictions imposed by Microsoft's "global construction." Those restrictions 
are unsupported by and in many cases contradicted by the specification. 

2. Digital Rights Management in general. Dr. Reiter will testify regarding Digital 
Rights Management technology, including encryption and tamper-resistance techniques. 
The nature and extent of such testimony will depend on the Court's decision as to the 
scope and format of tutorial presentations. 

3. InterTrust's patents and patent claims. Dr. Reiter will testify regarding the 
general nature of the InterTrust patents, and will summarize the claims at issue in the 
initial Joint Claim Construction hearing. The nature of that testimony will depend on the 



Court's decision as to ordering and format of testimony, but will be consistent with the 
testimony outlined above regarding claim terms and phrases. 



Exhibit G 

Summary of Opinions of Professor John Mitchell 

In Support of Microsoft's Propose d Claim C onstructions 

1. In the field of computer security, terms such as "secure/' "protect," and "tamper 
resistance" are understood differently depending on the particular context in which they are 
used They have such a range of possible meanings that context is essential to understanding 
what these terms mean in a given instance. The same is true for terms like "govern" and 
"control" when they are used to describe computer systems or access to information. 

A person skilled in the computer security field would not expect to use a dictionary to 
understand what these terms mean in a given context; rather, he or she would expect to review 
the particular reference or system in question to see what adversarial events or attacks are 
being defended against Generally speaking, dictionary "definitions" are not sufficient for 
understanding how these terms are meant in a particular case. A number of terms and phrases 
used in the February 1995 application (such as "VDE," "PPE," and "secure container") are 
also not likely to be found in dictionaries. 

2. The February 1995 application (which is sometimes referred to as the "Big Book") 
never clearly explains what it means by "security." It would not be clear to someone of 
average skill in the field what "secure" means in that application - for example, with regard 
to systems, system components, information, or processes. The same is true for such terms 
as "protected" and "tamper resistant." 

3. If a reasonably skillful computer security professional were to presume that "secure" 
has all of the attributes that are promised in the February 1995 application, then "secure" 
requires a guarantee of secrecy, authenticity, integrity, nonrepudiation, and availability, 
against all security threats identified in that application other than excessively costly brute 
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force attacks. (What constitutes excessive cost in this context is not clearly explained). 
Again taking the February 1995 application's promises for context, "tamper resistance" 
requires that some banier is in place which prevents access to or alteration of information in 
an unauthorized manner, the terms "secure" and "security", and additional terms such as 
"secure container," "control," "govern," "protect," "protected processing environment," 4t host 
processing environment" and 'Virtual distribution environment," would be understood, to the 
extent possible, as set forth in Microsoft's PLR 4-2 Statement, as opposed to the definitions 
listed in InterTrust' s PLR 4-2 Statement 

4. Professor Mitchell will explain the qualifications of a person of reasonable skill in the 
computer security field, including as of February 13, 1995, and explain how cited references 
(such as U.S. Patent 5,634,012 to Stefik et aL, U.S. Patents 4,868,877 and 5337360 to 
Fischer, Choudhury et al.'s "Copyright Protection for Electronic Publishing over Computer 
Networks," U.S. Patent 4,658,093 to Hellman, and Mori et al.'s "Superdistribution: The 
Concept and Architecture" (Transactions of the IECE 1990)) would influence such a person's 
understanding of the InterTrust disclosure. He may also address the substance of additional 
references published or created before February 13, 1995, not cited in the InterTrust patents. 

5. The specifications of the *721, *900, and '861 patents do not resolve any of these 
problems with the Big Book application. 
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Summary of Opinions of Professor David Maier 

in Support of Microsoft's Proposed Claim Constructions 



1. The specification of U.S. Patent No. 6,253,193 ("the 4 193 patent") describes several 
mandatory features of the Virtual Distribution Environment ("VDE") architecture, including: 

• the creation of a comprehensive data security and commerce world; 

• the ability to handle all types of digital works independent of computing platform, 
making it a single, general purpose solution in contrast to multiple, limited purpose 
solutions; 

• flexible control mechanisms that can be applied to any granularity of content; 

• control mechanisms that are configurable by any user, not just the system designers or 
content providers; and 

• isolation of the system programs and protected works from the non-VDE world, 
preventing observation, alteration, interference, or removal from the VDE, except as 
permitted by the VDE control mechanisms. 

This does not mean that the capabilities of the Virtual Distribution Environment can be 
achieved, only that these are features that the '193 patent makes clear a VDE must have. 

2. The specification of the *193 patent describes a system that requires several 
architectural elements including at least the following: 

• VDE Foundation Hardware and Software - installed throughout an infrastructure of 
interlinked computing devices; 

• The VDE "Secure Container" - a mechanism for packaging protected works, control 
information, and administrative information; and 
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• The VDE "Control" - a mechanism for defining the regimen for using protected 
information that is inside a secure container. 

3. Professor Maier will describe the background of a person of ordinary skill in the art. 
Such a person would understand the claims in light of the required capabilities and 
architectural features above. 

4. The specification set forth in the '193 patent has numerous inconsistencies in its 
terminology. Some inconsistencies concern the data hierarchy (e.g., methods, control 
information, component assemblies). Other examples include the description of a non-secure 
host event processing environment and the concept of containment 

The following further summarizes Professor Maier 's opinions. 

L EXPLANATION OF VS. PATENT NO. 6.253,193 

A. Asserted Capabilities of the Virtual Distribution Environment 

The 4 193 Patent describes a system that is asserted to be the first universal, distributed 
processing system for persistently controlling digital information. This system was given 
the name "Virtual Distribution Environment" or "VDF\ As described in the Patent, VDE 
promised at least the following mandatory features: 

1 . the creation of a comprehensive data security and commerce world; 

2. the ability to handle all types of digital works independent of computing platform, 
making it a single, genera] purpose solution in contrast to multiple, limited solutions; 

3. flexible control mechanisms that can be applied to any granularity of content; 
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4. control mechanisms that arc configurable by any user, not just the system designers 
or content providers; and 

5. isolation of the system programs and protected works from the non-VDE world, 
preventing observation, interference, or removal from the VDE, except as permitted 
by the VDE control mechanisms. 

Although these features are promised by the *193 Patent, this does not mean that they are 
necessarily achievable. 

1. Comprehensive Data Security and Commerce World 

According to the 4 193 Patent, VDE is described as being the only comprehensive 
solution in a world of limited solutions. VDE is described as an end-to-end solution for 
digital works that guarantees the authenticity, confidentiality and integrity of the works 
and the VDE mechanisms. These protections are promised to be effective against any 
unauthorized activity by a third party (i.e. a user other than the creator of the work) that 
has physical possession of the computing hardware and wishes to circumvent the 
protections. 

VDE must provide the ability to control the distribution and usage of digital works as 
well as tracking, reporting, auditing and handling payment for the distribution and usage. 
Additionally, VDE must support multiple business models simultaneously, for example, 
time-based and volume-based charging for the same digital work or licensing digital 
works with or without added sub-licensing rights. 

Only those systems that are members of the electronic commerce world can participate 
in VDE commerce transactions. Consequently, all transactions must occur between 
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member systems since there is no way to control digital works that are outside the 
boundaries of the VDE world 

2. General Purpose 

According to the '193 Patent, the VDE system is the only rights management solution 
needed by its users because it is capable of handling and protecting all types of digital 
works, such as digital audio, digital video, software, digital cash, digital documents, 
electronic publications, etc. within a single rights management framework, whereas 
previous systems handled only limited subsets of information types. It further states that 
VDE can function within all types of electronic devices, from smart cards, pagers and 
telephones to supercomputers. 

3. Flexible 

According to the *193 Patent, the VDE system can manage protected works in 
arbitrarily sized data chunks, down to the smallest atomic element. The Patent 
distinguished prior art systems that used access controls that were limited to the file level 
or resource level. The VDE system is described as being able to meter, track, bill and 
audit the usage of these arbitrary data chunks in addition to controlling the access to those 
data chunks. For example, a consumer can be charged by the number of bytes 
downloaded or by the number of paragraphs printed. Additionally, each of these actions 
can be specified independently, such that two objects can be metered differently, but 
billed identically. 
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This flexibility allows two different users to be charged at different rates, for different 
granularities, and in different currencies for using the same digital work. The 4 193 Patent 
distinguished prior art systems that lacked this flexibility. 

4. Controls Configurable by All Users 

According to the '193 Patent, the VDE system protects a digital work from the instant 
it is placed under VDE control subject to the permissions provided by the object creator 
(or rights holder) at the same or at another VDE "secure node" (The nature of the "secure 
node" is discussed later.) From that moment, the digital work becomes encapsulated 
within a VDE container. Then, the creator must grant permissions for accessing and 
distributing the digital work within the VDE object as well as identify how the object can 
be handled by other users of the VDE world. 

These other users can create additional VDE-based controls for this protected work. 
In general, these controls only impose additional restrictions on the VDE object because 
they cannot conflict with the creator's VDE controls (except in the limited case in which 
the creator allows his controls to be modified by other users.) Even the end user is 
permitted to add VDE controls to VDE objects that he has received. 

VDE controls are said to be persistent in that become permanently associated with the 
protected work once they are received, and they cannot be removed or deleted except as 
permitted by so-called "senior" VDE controls. 

5. System Isolation 

According to the '193 Patent, VDE protected works can only be accessed using VDE- 
certified foundation hardware and software. As a fundamental requirement, the VDE 
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foundation must isolate the internal workings of the system from the user because the user 
is not trusted 

Each computing device in the VDE world constitutes a "secure node" that must 
provide a "protected processing environment" (PPE) composed of VDE-cerufied 
foundation hardware and software. Sensitive materials such as protected works, 
administrative information, control information, and VDE software components, are 
passed between the protected processing environments of secure nodes inside "secure 
containers" that shield the materials from outside observation and alteration while in 
transit or in storage. The PPE must also shield all processing of the materials inside the 
PPE and also prevent the materials or process state information from "leaving" the VDE 
except as authorized by VDE control information. If the system fails to keep a protected 
work secret, then it can be distributed freely from that point onward. If the system fails to 
prevent alteration, then the consumer may receive invalid information (e.g., a bad stock 
quote), the consumer may receive less value than that for which he bargained (e.g., digital 
cash token that has been devalued), or the consumer's computer may be damaged by 
malicious code (e.g., virus-infected software), just to name a few examples. If the system 
fails to prevent the materials or process state information from leaving, then it can be 
moved to a system outside the VDE control regime for examination, manipulation, 
replication, or analysis. 

Electronic devices outside the VDE world do not incorporate the VDE foundation, and 
hence are not constrained by VDE protocols. Thus, protected works are not permitted to 
be in clear text form outside of the isolated and rigidly controlled protected processing 
environment. 
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To guarantee the isolation and integrity of the PPE, the VDE foundation software 
itself must be protected by storing it in a location that is inaccessible to the user or by 
encrypting it when it is stored at a location that can be observed by the user. 

B. VDE Core Architecture 

According to the *193 Patent, three constituent building blocks are necessary to 
implement the VDE world: 

1. VDE Foundation Hardware and Software - installed throughout an 
infrastructure of interlinked computing devices, each of which is called a 
"secure node"; 

2. The VDE "Secure Container" - a mechanism for packaging protected works, 
control information, and administrative information; and 

3. The VDE "Control" - a mechanism for defining the regimen for using 
protected information that is inside a secure container. 

Both controls and protected works are transferred between secure nodes by means of the 
secure container mechanism. Secure containers can be opened (and the protected works 
used) only within the protected processing environment of a secure node by executing 
VDE controls that regulate and track such activity. 

The proper combination of these three building blocks isolates internal processing 
from the untrusted user (by creating an unbypassable foundation of hardware and 
software); isolates protected works from the untrusted user (by placing them in a shielded 
data structure); and provides a control mechanism that will allow the untrusted user to 
make use of the protected works only under controlled conditions. 
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1. VDE Foundation Hardware/Software 

The VDE foundation hardware and software must ensure that the competing interests 
of both the owner and user of protected works are respected The owner has an interest in 
controlling the distribution of his digital works and in compelling the reporting and 
payment for such use. The user has an interest in the control of his computing device, his 
privacy, and the availability of digital works for which he has paid. 

The VDE foundation hardware and software must provide a sequestered venue in 
which external authority dominates the user's local authority in the control of information 
and processing. This VDE foundation hardware and software is the basis for any VDE 
installation on a device 

A VDE secure node is a device that provides a VDE installation incorporating VDE 
foundation hardware and software as the base stratum on which all VDE functions are 
executed. In any secure node where protected works are used or where VDE control 
information is created or modified, a VDE secure subsystem core must be present. This 
core is enclosed by a "tamper resistant security barrier" that prevents observation of, 
interference with, and leaving of information and processes except as authorized by VDE 
control information. 

This VDE secure subsystem core handles encrypting and decrypting data and code, 
storing control and metering information, managing secure communication with other 
VDE secure subsystem cores at other secure nodes, dynamically assembling and 
executing VDE control procedures, and updating control information for protected works. 
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Control procedures for the promised permission checking, metering, billing, and budget 
management features all execute within the VDE secure subsystem core. 

The VDE foundation hardware and software must guarantee that control procedures 
triggered by user or system events are executed correctly and completely in the VDE 
secure subsystem core. Both correctness and completeness are necessary to preserve the 
integrity of VDE control regime. Failure can compromise the rights, privacy, or financial 
interests of the owner or user of the protected works. 

According to the '193 Patent, these functions are provided and enforced by a secure 
processing unit (SPU) that is protected by a special purpose physical enclosure (the 
tamper resistant security barrier) that conceals the underlying VDE processing from 
observation or interference by external persons or processes, and that destroys information 
rather than allow the information to leave the VDE subsystem core via unauthorized 
means. 

The *193 Patent suggests that a tamper resistant security barrier might be simulated 
solely in software by using several known software techniques, but it gives no specific 
direction as to how these techniques can be applied to achieve the guarantees required by 
the VDE secure subsystem core in an environment that is under the control of an un trusted 
user. 

2. VDE Secure Containers 

An invariant requirement of the VDE container concept is that no access or use can be 
made of the protected works within a VDE container except as regulated by associated 
VDE control information. This associated control information can be provided in the 
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same secure container that holds the protected works or it can be provided independently 
in a separate secure container. 

In addition to the protected works included within a secure container, there can be 
references to other digital works stored external to the container. However, the container 
cannot regulate other access or usage to these externally stored digital works. 
("Containment" is discussed further is Section IV. D.) 

VDE secure containers can contain administrative information, such as auditing, 
tracking, and billing requests and reports. 

The internal structure of a VDE secure container must be able to store independently 
manageable digital works. Subsections of a VDE secure container can be encrypted by 
different keys, including subdivisions of a single digital work. 

The internal structure of a VDE secure container must be able to store other VDE 
secure containers nested inside it. Each nested container is subject to its own independent 
control information. Control information corresponding to the outer container may not 
override more restrictive control information that corresponds to a secure. container nested 
within it 

The VDE secure container supports modification of its contents and its control 
information subject to the current corresponding control information. 

Because of this capability, a VDE secure container may be empty in the sense that it 
tioes not contain a digital work while it does contain control information that identifies the 
digital work that can be added to the secure container. Thus, a VDE secure container can 
be used as a mobile agent to retrieve digital works from remote locations. 
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3. VDE Controls 



According to the '193 Patent, the configurability and flexibility of the VDE system 
arises jointly from the modular and independently selectable nature of control information 
and the dynamic construction and execution of control procedures within the VDE secure 
subsystem of a computing device. As used herein, the VDE secure subsystem refers to the 
VDE foundation hardware and software residing within the tamper resistant security 
barrier. 

VDE controls are executable procedures constructed by the VDE foundation as a 
response to a request to access or use a specific protected work. The control is 
constructed inside the VDE secure subsystem using VDE control information. VDE 
control information is composed of executable code, rule information that is enforced by 
the executable code, and blueprint instructions for constructing the executable control. 
The VDE secure subsystem guarantees that the control procedure is constructed according 
to the blueprint instructions and that the components used in the construction are authentic 
as to source, identity, and data integrity. 

All use of protected works is regulated by corresponding control information that is 
used to construct each executable control procedure. Different control procedures can 
regulate auditing, billing, metering, tracking and usage events (such as printing, rendering, 
copying, etc.) with respect to individual users for a single instance of a protected work. 
These events cannot occur except as regulated by the execution of the individual control 
procedures. Additionally, these control procedures can be applied at arbitrarily fine levels 
of granularity, such as charging for the number of bytes read. 
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Any VDE user can define control procedures to the extent permitted by senior VDE 
control information. 

Control information is deliverable independent of the protected work. Individual 
portions of control information are deliverable independent of each other. Control 
information made by a dd ed, modified, or replaced over time to the extent permitted by 
earlier control information. Because independent control information for any given 
instance of a protected work can be created by different sources at different locations and 
different times, the control information from these sources can be in conflict. VDE must 
supply a means for resolving these conflicts. According to the 4 193 Patent, the executable 
controls negotiate to determine the conditions under which a protected work may be used 
Thus, controls are said to "evolve" over time. 

Once delivered to a VDE node with the corresponding protected work, control 
information persists throughout the life of the protected work. 

The VDE controls must support a broad range of control regimes, all of which can co- 
exist on a single VDE secure node. 

Dynamic assembly and execution of a VDE control must occur within the VDE secure 
subsystem. Construction of a VDE control from its component parts in a non-VDE 
system allows unconstrained access to digital works. Thus, VDE control information is 
transmitted between secure nodes using VDE secure containers and stored at VDE nodes 
in encrypted form whenever outside the VDE secure subsystem. 

Executable control procedures are constructed from load modules, data, and VDE 
methods. These control procedures are assembled and executed in response to user and 
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system events. According to some statements in the 4 193 Patent, a "component assembly" 
is a VDE control procedure. 

C Claim Interpretation 

A person of ordinary skill in the art would understand the claims of the *193 Patent in 
light of the mandatory capabilities and architectural components described above. 
D* Summary of Internal Inconsistencies* 

The '193 Patent contains numerous internal inconsistencies. Examples of these 
inconsistencies are given below. 

1. Use of Quotations 

Hundreds of terms are set off in quotations throughout the specification. These terms 
include: detail description, virtual distribution environment, electronic highway, VDE 
aware, content, virtual, things, chain of handling and control, rules and controls, CD 
ROM, information utility, switch, transaction processor, usage analyst, operating system, 
method, budget, atomic, firmware, hash bucket, peripheral device, event-based, multi- 
threaded, locking, Remote Procedure Call, two-phase commit, and read only. Some of 
these terms are coined (such as VDE aware; rales and controls; and usage analyst) while 
many are well known computer concepts (such as operating system and Remote 
Procedure Call.). 

In many cases, it is unclear whether any particular use of quotation marks was 
intended to introduce a coined term, to indicate figurative or metaphorical usage of a term, 
to indicate non-standard or a weakened usage of a term, or something else 
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2. System Availability 

In the Absract, the 4 193 Patent asserts that "the invention . . . maintains] the integrity, 
availability, and/or confidentiality" of protected works. However, the system described 
does not appear to be designed to guarantee the availability of protected works. Rather, 
any deviation from the expected processing sequence is considered to be evidence of an 
attempt to crack the system or steal die protected works. In response, the system is likely 
to halt all processing until a trusted VDE administrator intervenes and resets the system. 
Additionally, the '193 Patent uses denial of service to enforce reporting obligations 
imposed by a rights holder. This practice is not consistent with preserving availability of 
digital works. 

3. <4 G>ntainer" vs. "Object" 

There is no consistent delineation in the 4 193 Patent between the terms "container" 
and "object" Initially, there appears to be a distinction in that the container is a shell data 
structure that is encapsulating data and the object is the combination of the container data 
structure and the encapsulated data. See Fig. 5A. Elsewhere, this distinction is blurred by 
the use of such phrases as: 

"secure object (content container)"; 

"VDE content container is an object"; and 

"VDE container (object)", 

which appear to make container and object synonymous. 
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4. The Property of Being "Contained" 

In the '193 Patent, there is no clear definition for the term "contain." The '193 patent 
states at one point that a container such as "container 302 may 'contain' items without 
those items actually being stored in the container." This definition of "contain" to include 
"referencing" is not customary in information storage terminology. 

Subsequent examples in the '193 indicate that "contain" and "reference" are distinct 
relationships. For example, "may contain or reference" is used numerous times such as in 
"Load modules 1 100 may contain or reference other load modules." and as in "Container 
300y may contain and/or reference " 

5. Inconsistent Data Structure Hierarchy 

The hierarchy and relationships amongst rules, controls, methods, load modules, 
control information, and other data structures is inconsistent. 

a) "Rules and Controls" vs. "Control Information" 

The term "control information" is defined in the "Background and Summary of the 
Invention" of the '193 Patent as: ". . . load modules, associated data and methods . . 

Later, the specification uses the phrase " 'rules and controls* (control information)" as if 
the phrases "control information" ancj "rules and controls" are synonymous. Further, it 
states that "rules and controls" can be in the form of: "a 'permissions record 1 808; 
'budgets' 308 and 'other methods* 1000", but makes no mention of load modules. 

Subsequent uses of "control information" such as: ". . . other aspects of the information to 
be contained within the object (e.g., rules and control information, identifying 



Exhibit G- page 17 



information, etc.)"; and "the user may specify permissions, rules and/or control 
information/' indicate that rules are different and distinct from control information. 

b) "Component Assembly" vs. "Control Information" 

In the '193 Patent, the relationship between component assembly and control 
information in the data hierarchy is defined inconsistently. Contrast the statement: 

"In this example control information may include one or more component assemblies 
that describe the articles within such a container (e.g. one or more event methods 
referencing map tables and/or algorithms that describe the extent of each article)." 

with: 

" . . control information (typically a collection of methods related to one another by 
one or more permissions records, including any method defining variables) . . ." 
[italics in original] 

'This "channel 0" "open channel" task may then issue a series of requests to secure 
database manager 566 to obtain the "blueprint" for constructing one or more 
component assemblies 690 to be associated with channel 594 (block 1 127). In the 
preferred embodiment, this "blueprint" may comprise a PERC 808 and/or URT 464.* 

In one case, the component assembly is a part of control information, but in the other 
case, control information is separable from and describes how to build a component 
assemblies. 
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c) budgets" 

According to the '193 Patent, "budgets" are a special type of "method". Methods are 
defined as containing, among other things, "User Data Elements". Elsewhere, budgets are 
cited as a common type of User Data Element This inconsistency creates confusion as to 
whether any given use of the term "budget" refers to an executable method or a non- 
executable data structure. 

6. "Load Module" 

According to the *193 Patent, executable code is provided in the form of '"atomic* 
load modules", presumably meaning that they are the smallest unit of executable code. 
Later, however, load modules arc sub-dividable into smaller load modules, which is 
inconsistent with atomicity. 

7. The "Non-Secure" "Protected Processing Environment" 

According to the *193 Patent, a necessary feature of a VDE computer is the "protected 
processing environment" or "PPE". Secure Event Processing Environments ("SPF*), in 
which all sensitive processing is handled inside a hardware device called a Secure 
Processing Unit ( U SPIT) are stated as being one type of PPE. Host Event Processing 
Environments ("HPE") are also said to be a type of PPE. The HPE classification is further 
described as having two sub-types: secure and non-secure. Additionally, the specification 
defines the three abbreviations as synonymous and interchangeable starting at column 103 
of the specification, unless the context of any given passage indicates otherwise. 
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Further, no criteria are provided for distinguishing between a "secure HPE" and a 
"non-secure HFF\ Thus, it is not possible to reconcile the "non-secure HPE" as a secure 
operating environment or protected processing environment 
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